Laura
10/02/2023
Search SenseOn.io
Laura
10/02/2023
This post was authored by our Director of Technology, Brad Freeman.
SenseOn’s in-depth analysis of the Gootkit malware family breaks down the Gootkit malware attack chain. With SenseOn’s advanced telemetry, our cybersecurity analyst team was able to break down the latest Gootkit attack methods.
SenseOn has a wide range of threat intelligence and security analytics to detect malware infections, such as Gootkit. This article is a technical summary of the Gootkit malware infection chain designed to help security teams understand the risk of Gootkit malware.
Gootkit is a family of Node.JS-based malware first described in 2014. Initially described as a “banking trojan,” Gootkit has evolved into a highly evasive info stealer and remote access trojan (RAT).
An interesting feature of Gootkit is its distribution method. Threat actors have been observed spreading Gootkit through advanced search engine optimization (SEO) poisoning.
To trick users into downloading Gootkit, threat actors hijack legitimate websites and replace real search engine results with compromised web pages.
Gootkit threat actors create web pages and blog posts designed to appear on Google’s search engine results page when users enter specific queries they want to find information on.
These web pages answer specific search questions, i.e., “financial services in my city.” They then direct users to download compromised files related to their query, i.e., “the ultimate guide to financial services in my local city.pdf”.
Web Pages poisoned with Gootkit tend to target victims within specific geographical areas and serve malicious content to users depending on where their IP address is located.
Once downloaded, Gootkit allows threat actors to record a user’s keystrokes (and, as a result, their passwords and login details) as well as a massive amount of technical information about their device and network configurations.
Recently, Gootkit has also been observed within ransomware attack chains.
Wider reporting on Gootkit indicates that after an initial intrusion, Gootkit can deploy additional final payloads such as REvil (Sodinokibi) ransomware as well as malicious powershell scripts and fileless malware such as Cobalt Strike.
This wide range of potential malicious use cases was observed during a recent wave of cyber attacks on the Australian healthcare industry.
Gootkit spreads through SEO poisoning, this is where a hacker manipulates search engine results to promote malicious content with search terms selected from their target. In a recent campaign, victims are lured to download a .zip archive which contains a hostile JavaScript file, which acts as the loader. The files are hosted on legitimate but compromised websites, a method which is likely used to evade many forms of content filtering.
A wide range of lures (which act as loaders) have been analysed. In every case, the keyword ‘agreement’ was used alongside terms common in the legal and financial sectors. This may indicate an element of targeting or an attempt to make the lures more attractive to higher-value targets. All samples contained a random ascii string of between 2 and 5 characters at the end of the filename to reduce the effectiveness of signature based blocking.
Filenames observed in the recent campaign are shown below:
What_is_a_free_trade_agreement_for (<random string>).zip
Supplemental_agreement_pa_workers_compensation (<random string>).zip
Usmca_trade_agreement_summary (<random string>).zip
What_is_an_api_license_agreement (<random string>).zip
Subject_verb_agreement_worksheets_with_answers_grade_5 (<random string>).zip
Coal_offtake_agreement_sample (<random string>).zip
Online_rent_agreement_service_pune (<random string>).zip
Shared_facility_use_agreement (<random string>).zip
Sample_family_mediation_agreement (<random string>).zip
Microsoft_ea_agreement_levels (<random string>).zip
Which_sentence_has_proper_subject-verb_agreement (<random string>).zip
How_to_cite_a_collective_bargaining_agreement_in_apa (<random string>).zip
Safety_data_exchange_agreement_template (<random string>).zip
What_is_the_use_of_subject_verb_agreement_in_spoken_language (<random string>).zip
Single_family_purchase_and_sales_agreement_rhode_island_association_of (<random string>).zip
Analysing submitted samples on VirusTotal indicates that many instances of Gootkit loaders have a low detection rate when analysed by traditional anti virus systems.
Upon extracting the recently downloaded zip archive, the victim is presented with a JavaScript file with the same filename lure as its parent zip. If at this stage the user runs the .js
file on their endpoint, the attacker will gain access to the environment via User Execution.
The downloaded zip archive is approximately 20KB and expands to 50KB when unpacked. To hamper analysis efforts, roughly 50% of the file contains legitimate code which isn’t part of the loader and is likely an attempt to divert analysis efforts. The legitimate code SenseOn observed is from a version of the open source D3 JavaScript library released over 10 years ago (version 2.7.5), with many of the function and variable name replaced to obfuscate the malicious JavaScript contained within the file.
d3.js
versions up until 2.8.0Gootkit has a very effective persistence mechanism.
After execution, Gootkit achieves persistence by randomly selecting a single URL from a list of up to 50 remote locations, and downloads another JavaScript file. Gootkit creates a start-up item to achieve persistence called DEVICE~1.JS
.
Additionally, a new scheduled task is added to the system using a randomly generated but legitimate-sounding name such as Trading System Development. The JavaScript file called by the scheduled task was stored in C:\Users\<username>\AppData\Roaming\<vendor> wscript DEVICE~1.JS
, where various software provider names were chosen to appear legitimate, such as Microsoft, WinRAR, and Adobe.
Gootkit then launches PowerShell.exe and changes the case of the executable (as Windows is case insensitive) so the running process appears as pOWeRshelL.exe
– this is a basic method to evade poor signature-based detection methods.
The DEVICE~1.JS
script injects itself into an svchost.exe
process and connects to a new list of up to 50 command and control servers. External connections are then sourced directly from pOWeRshelL.exe
and svchost.exe
.
All command and control servers extracted from the sample called back to xmlrpc.php
scripts. This is a common file found in WordPress installations. Samples in other campaigns call back to different URLs. The list of servers is contained within an array within the JavaScript file.
Sent with the connection to the Command and Control server is a unique identifier for each device. Other variables are sent as a Base64 encoded cookie including:
The variables are commented inline on the below extract of the deobfuscated script, as observed by the SenseOn analyst team.
GootKit command and control traffic is sent over HTTP & TLS. The HTTP user agent is modified to look like a Windows OS running a recent version of the Google Chrome browser (version 107). A connection to the command and control servers is made once every 20 seconds.
SenseOn’s unified telemetry can observe the traffic from the source process being sent to the command and control servers.
pOWeRshelL.exe
to command and control servers.Our analysis of recent Gootkit activity indicates the possibility of targeting the financial and legal sectors. By spreading its lures on compromised websites and its heavy use of obfuscation by weaving malicious code alongside legitimate code it is likely to evade many web filters. Due to its prevalence, any large organisation in the finance or legal sector is likely to have Gootkit downloads. We have observed it bypassing traditional anti-virus and preventative controls alone are unlikely to prevent infection.
With each infected host connecting to multiple command and control servers at a rate of only one every 20 seconds this may keep the number of connections below a threshold which would be detected through network analysis alone. Organisations should assess their susceptibility to the TTPs discussed above.
hxxp[:]//fx-arabia[.]com/xmlrpc.php
hxxps[:]//yespornplease[.]tv/xmlrpc.php
hxxp[:]//bip[.]podkowalesna[.]pl/xmlrpc.php
hxxp[:]//nmm[.]pl/xmlrpc.php
hxxp[:]//mgplastcutlery[.]com/xmlrpc.php
hxxps[:]//ruscred[.]site/xmlrpc.php
hxxps[:]//mgplastcutlery[.]com/xmlrpc.php
hxxp[:]//educabla[.]com/xmlrpc.php
hxxps[:]//educabla[.]com/xmlrpc.php
hxxp[:]//clearchoiceairtreatment[.]com/xmlrpc.ph
hxxp[:]//blog[.]ddlab[.]net/xmlrpc.php
hxxps[:]//sayhueque[.]com/xmlrpc.php
hxxps[:]//nmm[.]pl/xmlrpc.php
hxxps[:]//fx-arabia[.]com/xmlrpc.php
hxxps[:]//emitrablog[.]com/xmlrpc.php
hxxps[:]//bankr[.]in/xmlrpc.php
hxxp[:]//phizyx[.]com/xmlrpc.php
hxxp[:]//naijafinix[.]com/xmlrpc.php
hxxp[:]//lianfidarkia[.]ir/xmlrpc.php
hxxp[:]//drinksoma[.]co[.]za/xmlrpc.php
hxxp[:]//measureschool[.]com/xmlrpc.php
hxxp[:]//blammoplus[.]com/xmlrpc.php
hxxps[:]//estrucadbim[.]com/xmlrpc.php
hxxps[:]//cloturesolival[.]com/xmlrpc.php
hxxps[:]//mustpanter[.]ee/xmlrpc.php
hxxps[:]//schafwolle-wendelstein[.]de/xmlrpc.php
hxxps[:]//bluenoteatsea[.]com/xmlrpc.php
hxxp[:]//allpress[.]com[.]ar/xmlrpc.php
hxxps[:]//deepstatetribunal[.]com/xmlrpc.php
hxxp[:]//www[.]ultramobile[.]com/xmlrpc.php
hxxp[:]//www[.]clarencehouse[.]com[.]au/xmlrpc.php
hxxp[:]//www[.]gettrymarcus[.]com/xmlrpc.php
hxxp[:]//coursetool[.]org/wordpress/xmlrpc.php
hxxps[:]//mepyd[.]gob[.]do/xmlrpc.php
hxxp[:]//apollo111[.]ro/xmlrpc.php
hxxp[:]//uncos[.]fr/xmlrpc.php
hxxp[:]//cowot[.]testsaitov[.]com/xmlrpc.php
hxxp[:]//biologyhacker[.]com/xmlrpc.php
hxxp[:]//anale[.]steconomiceuoradea[.]ro/xmlrpc.php
hxxp[:]//daxu[.]net/xmlrpc.php
hxxps[:]//varshithainterio[.]com/xmlrpc.php
hxxps[:]//demonslayer-mangaonline[.]com/xmlrpc.php
hxxps[:]//metropolitan[.]realestate/xmlrpc.php
hxxps[:]//biserica2[.]ro/xmlrpc.php
hxxp[:]//sayhueque[.]com/xmlrpc.php
hxxps[:]//metropolitan[.]realestate/xmlrpc.php
hxxps[:]//blog[.]sientetusfilins[.]com/xmlrpc.php
hxxps[:]//autori[.]blendmagazine[.]it/xmlrpc.php
hxxp[:]//vpchandler[.]com/xmlrpc.php
hxxps[:]//naserabadi[.]com/xmlrpc.php
hxxps[:]//zyto[.]com/xmlrpc.php
hxxp[:]//0nlinenews[.]com/xmlrpc.php
hxxps[:]//www[.]scomb[.]com/xmlrpc.php
hxxp[:]//dc3common[.]sakura[.]ne[.]jp/wp/xmlrpc.php
hxxps[:]//www[.]wellandgood[.]com/xmlrpc.php
hxxp[:]//blog[.]cheny[.]org/xmlrpc.php
hxxp[:]//envotech[.]net/xmlrpc.php
hxxp[:]//www[.]apteka[.]ua/article/82849
hxxp[:]//crackgpsc[.]com/recruitment/xmlrpc.php
hxxp[:]//plug-torrent[.]com/xmlrpc.php
hxxp[:]//www[.]cashanalytics[.]com/xmlrpc.php
hxxp[:]//ciorsdan[.]com/wp/xmlrpc.php
hxxps[:]//pomelo[.]com[.]pl/xmlrpc.php
hxxps[:]//pornimgur[.]com/xmlrpc.php
hxxp[:]//cpbrandindia[.]com/xmlrpc.php
hxxps[:]//marketpress[.]de/xmlrpc.php
hxxps[:]//rewardsadvisor[.]com/xmlrpc.php
hxxps[:]//edufolios[.]org/xmlrpc.php
hxxps[:]//gamingbeasts[.]com/xmlrpc.php
hxxps[:]//seomodern[.]ru/xmlrpc.php