🔒
There are new articles available, click to refresh the page.
Before yesterdaySentinelLabs

Hide and Seek | New Zloader Infection Chain Comes With Improved Stealth and Evasion Mechanisms

13 September 2021 at 16:33

By Antonio Pirozzi and Antonio Cocomazzi

Executive Summary

  • New ZLoader campaign has a stealthier distribution mechanism which deploys a signed dropper with lower rates of detection.
  • The campaign primarily targets users of Australian and German banking institutions.
  • The new infection chain implements a stager which disables all Windows Defender modules.
  • The threat actor uses a backdoored version of the Windows utility wextract.exe to embed the ZLoader payload and lower the chance of detection.
  • SentinelLabs identified the entire infrastructure of the ‘Tim’ botnet, composed of more than 350 recently-registered C2 domains.

Read the Full Report

Introduction

ZLoader (also known as Terdot) was first discovered in 2016 and is a fork of the infamous Zeus banking trojan. It is still under active development. A multitude of different versions have appeared since December 2019, with an average frequency of 1-2 new versions released each week.

ZLoader is a typical banking trojan which implements web injection to steal cookies, passwords and any sensitive information. It attacks users of financial institutions all over the world and has also been used to deliver ransomware families like Egregor and Ryuk. It also provides backdoor capabilities and acts as a generic loader to deliver other forms of malware. Newer versions implement a VNC module which permits users to open a hidden channel that gives the operators remote access to victim systems. ZLoader relies primarily on dynamic data exchange (DDE) and macro obfuscation to deliver the final payload through crafted documents.

A recent evolution of the infection chain included the dynamic creation of agents, which download the payload from a remote server. The new infection chain observed by SentinelLabs demonstrates a higher level of stealth by disabling Windows Defender and relying on living-off-the-land binaries and scripts (LOLBAS) in order to evade detection. During our investigation, we were also able to map all the new ZLoader C2 infrastructure related to the ‘Tim’ botnet and identify the scope of the campaign and its objectives, which primarily involved stealing bank credentials from customers of European banks.

Overview of the ZLoader infection chain

Technical Analysis

The malware is downloaded from a Google advertisement published through Google Adwords. In this campaign, the attackers use an indirect way to compromise victims instead of using the classic approach of compromising the victims directly, such as by phishing.

We observed the following pattern of activity that leads to infection:

  • The user performs a search on www.google.com to find a website to download the required software from; in our case, we observed a search for “team viewer download”.
  • The user clicks on an advertisement shown by Google and is redirected to the fake TeamViewer site under the attacker’s control.
  • The user is tricked into downloading the fake software in a signed MSI format.

Once the user clicks on the advertisement, it will redirect through the aclk page. This redirect demonstrates the attackers usage of Google Adwords to gain traffic:

hxxps://www.google.com/aclk?sa=L&ai=DChcSEwiMusngi8_yAhVbbm8EHYpXDh0YABABGgJqZg&ae=2&sig=AOD64_05er1E772xSHdHTQn_3lAIdsmPxA&q&adurl&ved=2ahUKEwjV8cHgi8_yAhXPaM0KHTCBDeAQ0Qx6BAgCEAE&dct=1

After further navigation (and redirects), the malicious Team-Viewer.msi is downloaded from the final URL hxxps://team-viewer.site/download/Team-Viewer.msi.

The downloaded file is a fake TeamViewer installer signed on 2021-08-23 10:07:00. It appears that the cybercriminals managed to obtain a valid certificate issued by Flyintellect Inc, a Software company in Brampton, Canada. The company was registered on 29th June 2021, suggesting that the threat actor possibly registered the company for the purpose of obtaining those certificates.

Pivoting from this certificate, we were able to spot other samples signed with the same certificate. These other samples suggest that the attackers had multiple campaigns ongoing beyond TeamViewer and which included fakes such as JavaPlug-in.mis, Zoom.mis, and discord.msi.

At the time of writing, these four samples have no detections on VirusTotal (a complete list of IoCs can be found in the full report).

New Zloader Infection Chain Bypass Defences

The .msi file is the first stage dropper which runs an installation wizard. It creates random legitimate files in the directory C:\Program Files (x86)\Sun Technology Network\Oracle Java SE. Once the folder has been created, it will drop the setup.bat file, triggering the initial infection chain by executing cmd.exe /c setup.bat.

This initiates the second stage of the infection chain, downloading the dropper updatescript.bat through the PowerShell cmdlet Invoke-WebRequest, from hxxps://websekir.com/g00glbat/index/processingSetRequestBat/?servername=msi. The dropper then executes the third stage with the command cmd /c updatescript.bat.

The third stage dropper contains most of the logic to impair the defenses of the machine. It also drops the fourth stage using a stealthy execution technique. At first, it disables all the Windows Defender modules through the PowerShell cmdlet Set-MpPreference. It then adds exclusions, such as regsvr32, *.exe, *.dll, with the cmdlet Add-MpPreference to hide all the components of the malware from Windows Defender.

At this point the fourth stage dropper is downloaded from the URL hxxps://pornofilmspremium.com/tim.EXE and saved as tim.exe. The execution of tim.exe is done through the LOLBAS command explorer.exe tim.exe. This allows the attacker to break the parent/child correlation often used by EDRs for detection.

The first part of the attack chain

The tim.exe binary is a backdoored version of the Windows utility wextract.exe. This backdoored version contains extra embedded resources with names like “RUNPROGRAM”, “REBOOT”, and “POSTRUNPROGRAM”, among others.

Resources embedded in the tim.exe binary (left) and legit wextract.exe(right)

This backdoored version contains additional code for creating a new malicious batch file with the name tim.bat. It is placed in a temporary directory retrieved with the Win32 function GetTempPath(). It retrieves the content of the resource “RUNPROGRAM” (containing the string value cmd /c tim.bat) and uses it as the command line parameter for the CreateProcess() Win32 function.

The tim.bat file is a very short script that downloads the final ZLoader DLL payload with the name tim.dll from the URL hxxps://pornofilmspremium.com/tim.dll and executes it through the LOLBAS command regsvr32 tim.dll. This allows the attackers to proxy the execution of the DLL through a signed binary by Microsoft.

This dropper downloads the script nsudo.bat from hxxps://pornofilmspremium.com/nsudo.bat and runs asynchronously in parallel with the execution of tim.dll. The script aims to further impair defenses of the machine.

Privilege Escalation and Defense Evasion

The nsudo.bat script performs multiple operations with the goal of elevating privileges on the system and impairing defenses.

At first, it checks if the current context of execution is privileged by verifying the access to the SYSTEM hive. This is done through %SYSTEMROOT%\system32\cacls.exe  %SYSTEMROOT%\system32\config\system. If the process in which it runs has no access on that hive it will jump to the label :UACPrompt.

This part of the script implements an auto elevation VBScript that aims to run an elevated process in order to make system changes. The snippet of the script in charge of the UACPrompt feature is as follows:

:UACPrompt
      echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
      set params = %*:"="
      echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs"
	"%temp%\getadmin.vbs"
      del "%temp%\getadmin.vbs"
      exit /B

This snippet creates the VBScript getadmin.vbs, runs it and deletes it. Using a VBScript eases the interaction with COM objects. In this case, it instantiates a Shell.Application object and calls the function ShellExecute() to trigger the UAC elevation and the interaction with the AppInfo service.

Once the elevation occurs the script is run with elevated privileges. At this point, the script performs the steps to disable Windows Defender. It does this through a software utility called NSudo renamed as javase.exe, which is downloaded from the URL hxxps://pornofilmspremium.com/javase.exe. The attacker leverages this utility in order to spawn a process with “TrustedInstaller” privileges. This can be abused by the attacker to disable the Windows Defender service even if it runs as a Protected Process Light.

The script downloads the file autorun100.bat from and places it in the startup folder %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. This script ensures that the WinDefend service is deleted at the next boot through the utility NSudo.

The nsudo.bat script also completely disables UAC by setting the following registry key to 0:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

In order to have these changes take effect, the computer is forced to restart. The nsudo.bat script does this with shutdown.exe /r /f /t 00. At this point, the attack chain of the script nsudo.bat is complete.

ZLoader Payload Execution Chain

The tim.dll is the main ZLoader payload that encapsulates the unpacking logic and adds persistence. It is executed through the system signed binary regsvr32.exe.

It first creates a directory with a random name inside %APPDATA% and then creates a copy of itself in the newly created directory. It then adds a new registry key in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. The registry key value contains the command line of the malicious process to spawn on user logon. This ensures that the attacker’s implant survives machine reboots. The DLL execution also relies on the regsvr32 binary. This is an example of the registry key created on a single run of the sample:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Iwalcacvalue: regsvr32.exe /s C:\Users\[REDACTED]\AppData\Roaming\Kyubt\otcyovw.dll

Then it starts the unpacking by leveraging a process injection technique known as Thread Hijacking. It contains a small variation but essentially uses the same pattern of Win32 API calls used for Thread Hijacking:

VirtualAllocEx() -> WriteProcessMemory() -> GetThreadContext() -> SetThreadContext() -> ResumeThread()

It first creates a new process as a host for the unpacked DLL, and for this sample it uses a new instance of msiexec.exe. Then it allocates and writes 2 RWX memory regions inside the target process. One contains the unpacked version of the DLL XOR’ed with a key; the second, contains some shellcode to decrypt the DLL and jump to the entry point.

The unpacking routine

Once the memory is written in the remote process it sets the new thread context EIP to point to the unpacking routine shellcode and resumes the main thread of msiexec. This is how the hijacking of the main thread occurs. The unpacked DLL is extracted from the memory of msiexec.exe process by dumping the memory address used in the first WriteProcessMemory() call.

We have compared the unpacked DLL with the recent ZLoader payloads and found a similarity score of 92.62%.

Final part of the attack chain

Analyzing The New Zloader C2 Infrastructure

The analyzed sample belongs to the ‘Tim’ Botnet as defined in the malware configuration. Some of the embedded C2s (the full list can be found in the IoC section of the full report) are also shared by the googleaktualizacija ZLoader botnet.

One of the C2s dumped from the infected machine, mjwougyhwlgewbajxbnn[.]com, used to resolve to 194.58.108[.]89 until the 25th of August 2021. As of the 26th of August, however, it points to 195.24.66[.]70.

The IP 194.58.108[.]89 belongs to ASN 48287 – RU-CENTER and seems to deploy many different domains – 350 at the time of writing – forming the new ZLoader infrastructure. Some domains implement the gate.php component, which is a fingerprint of the ZLoader botnet. We noticed during our investigation that all the domains were registered from April to Aug 2021, and they switched to the new IP (195.24.66[.]70) on the 26th of August.

A Targeted Campaign: AU And DE Financial Institutions

The new ZLoader campaign is targeted. The final payload has a list of embedded AU and DE domains, and contains some strings with wildcards used by the malware to intercept specific users’ web requests to bank portals.

@https://*commerzbank.de*
@https://*.de/*/entry*
@https://*.de/banking-*/portal?*
@https://*.de/banking-*/portal;*
@https://*.de/portal/portal*
@https://*.de/privatkunden/*
@https://*.de*abmelden*
@https://*.de/de/home*
@https://*.de/en/home*
@https://*.de/fi/home*
@https://*banking.sparda.de*
@https://*banking.sparda-*
@https://*banking.sparda.de/wps/loggedout.jsp
@https://*meine.deutsche-bank.de/trxm/db*
@https://*banking.berliner-bank.de/trxm*
@https://*meine.norisbank.de/trxm/noris*
@https://*targobank.de*
@https://banking4.anz.com/IBAU/BANKAWAY*
@https://banking.westpac.com.au/*
@https://www1.my.commbank.com.au/netbank/Portfolio/Home/*
@https://ibanking.stgeorge.com.au/ibank/*
@https://ibanking.banksa.com.au/ibank/*
@https://ibanking.bankofmelbourne.com.au/ibank/*
@https://online.macquarie.com.au/*
@https://ob.cua.com.au/ib/*
@https://banking.bendigobank.com.au/banking*
@https://internetbanking.suncorpbank.com.au/*
@https://www.ing.com.au/securebanking/*
@https://ib.nab.com.au/*
@https://online.beyondbank.com.au/*
@https://ib.greater.com.au*
@www.independentreserve.com*
@www.coinspot.com.au*
@https://auth.btcmarkets.net/*

From our analysis of the communication patterns related to mjwougyhwlgewbajxbn[.]com, we were able to map most of the source traffic used by the operators of the botnet.

The pornofilmspremium[.]com domain delivers the tim.exe component. The domain was registered on 2021-07-19 (Location RU, ASN: REG RU 197695) and is associated by the community with ZLoader [1, 2]. The email address [email protected][.]com was used to register this domain and a number of others, as detailed in the full report.

Conclusion

The attack chain analyzed in this research shows how the complexity of the attack has grown in order to reach a higher level of stealthiness. The first stage dropper has been changed from the classic malicious document to a stealthy, signed MSI payload. It uses backdoored binaries and a series of LOLBAS to impair defenses and proxy the execution of their payloads.

This is the first time we have observed this attack chain in a ZLoader campaign. At the time of writing, we have no evidence that the delivery chain has been implemented by a specific affiliate or if it was provided by the main operator. SentinelLabs continues to monitor this threat in order to track further activity.

Indicators of Compromise

For a full list of IoCS see the full report.

Read the Full Report

Read the Full Report

We thank Awais Munir for his assistance in the technical analysis of the Zloader campaign.

Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets

16 June 2021 at 16:44

The ongoing Gootloader campaign expands its scope to highly sensitive assets worldwide including financial, military, automotive, pharmaceutical and energy sectors, operating on an Initial Access as a Service model.

Executive Summary

  • Since the beginning of Jan 2021 an active Gootloader campaign has been observed in the wild expanding its scope of interest to a wider set of enterprise verticals worldwide.
  • Analysis of over 900 unique droppers reveals that the campaign targets diverse enterprise and government verticals including military, financial, chemistry, banks, automotive, investment companies and energy stakeholders, primarily in the US, Canada, Germany, and South Korea.
  • Around 700 high-traffic compromised websites were used as a delivery network.
  • The campaign uses tailored filenames to lure targets in a typical form of social engineering.
  • This campaign has a low static detection rate alongside robust sandbox evasion techniques and ‘fileless’ stages.
  • Considering the wide distribution of the campaign and the heterogeneity of its deployed arsenal, we assess that Gootloader acts as an ‘Initial Access As a Service’ provider, after which a variety of tools may be deployed.

Introduction

We have been tracking an active Gootloader campaign aimed at enterprise and government targets worldwide. The primary industries of interest appear to be U.S. military, governmental, and financial entities, trading, mining, green energy, game industries and automotive companies, as well as their suppliers and service providers.

First spotted in 2014, Gootkit was born as a banking trojan. It has since evolved to become more of an infostealer, operated by what appears to be a cluster of actors. The name ‘Gootkit’ is often used interchangeably to refer to both the malware and the group, but that’s admittedly loose. In March 2021, Sophos were the first to identify the multi-payload delivery platform and call it “Gootloader”.

Early activity of Gootloader campaigns was first spotted by security researcher @ffforward in late 2020 and later published by ASEC, malwarebytes, and TrendMicro. Pivoting on those findings, we were able to gather a sizable amount of malicious artifacts related to the same Gootloader campaign. We collected about 900 JavaScript (js) droppers from a period of four months (1 Jan 2021 – 25 April 2021) by leveraging this Gootloader_JavaScript_infector YARA Rule. Our aim is to deepen our understanding of the Gootloader service platform and the selective nature of this campaign: topics that haven’t been investigated at scale.

The campaign uses customized filenames to lure targets through SEO poisoning, with the name of the js loader playing an active part of the social engineering process. For this reason, we deemed that in this campaign the filenames provided a strong indication of the contents victims were interested in searching for and, by extension, the scope of the intended targets.

The detection rate of these artifacts on by VirusTotal engines is very low and ranges from 1 to 7:

Low detection on VirusTotal

Moreover, considering that the subsequent stages are downloaded and executed in-memory, this ‘fileless’ mechanism is very effective at evading standard sandboxes.

The Stealthy JS Loader

The core component of Gootloader is a small js loader (2.8 KB) that acts as the first-stage of the infection chain. It’s not new, and the same artifact is used in other Gootkit campaigns. The loader is composed of three highly obfuscated layers that contain encoded URLs. These form part of a network of compromised websites used to deliver the final payload, typically one of the malware families listed below:

  • BlueCrab (mostly targeting Korean Users)
  • Cobalt Strike Beacons
  • Gootkit
  • Kronos
  • Revil

We see Gootloader as a cluster of activity representing an ‘Initial Access as a Service’ business model, allowing it to distribute malware for different cybercrime groups for affiliate fees. All of the above payloads are known ‘MaaS’ (Malware-as-a-Service) families that thrive on affiliate distribution models. Seeing that in some cases the payload distributed is Cobalt Strike, we cannot exclude that the Gootloader operators are conducting their own reconnaissance or credential harvesting for further gain.

Analyzing the JavaScript components was made drastically easier with the use of HP’s Gootloader decoder to automate the deobfuscation and extraction of embedded URLs and content.

The beautified version of the js loader’s first layer reveals the malicious logic:

js loader 1st layer

Once deobfuscated, we obtain the 2nd layer:

js loader 2nd layer

And finally the cleartext (and beautified) version:

js loader decoded

From the decoded script we can now see how Gootloader performs some target filtering to ensure that the victim is a part of an Active Directory domain via expanding the "%USERDNSDOMAIN%"  environment variable.

Checking to see if the user is an AD domain

If the check returns true, then it appends an id (278146 in the above example) at the end of the query string and requests the next stage from one of the websites contained in the ‘K’ array.

Gootloader Delivery Platform

In this section, we examine how the Gootloader delivery network works, starting with the distribution of the js loader using a social engineering lure all the way to the final payload.

The delivery network is composed of two levels. The first level consists of compromised well-ranked websites indexed by Google and hijacked by threat actors to host a js redirector.

Hijacked websites host a js redirector

At the time of writing, we estimate there are around 700 different compromised websites worldwide.
The script embedded on these compromised websites is responsible for performing the following checks via HTTP headers before delivering the js loader to the target:

  • referral: check that the request comes specifically from a Google search
  • first time condition: check that the host/machine has not previously visited the site
  • timezone: check the timezone based on the requester IP

The timezone check is particularly interesting: in our analysis, the Gootloader platform apparently ‘geofences’ its intended targets by only deliverering malware if the victim comes from specific countries: the US, Canada, Germany, and South Korea.

If any of the above conditions is not met, then the redirector builds a dummy page without a malicious component for the user, such as the following:

Dummy page for uninteresting visitors

Otherwise, the embedded script automatically builds and displays a fake forum page containing a thread relevant to the user’s search content, along with the link to the js loader:

Fake forum page for interesting targets

The compromised websites use old and vulnerable CMS versions that have been exploited to insert the malicious script.

During our analysis, we were able to extract the exploited domains used as a second-level delivery network for this campaign (the list is not exhaustive):

www[.]kartatatrzanska[.]pl
www[.]hrgenius-uk[.]com
www[.]joseph-koenig-gymnasium[.]de
www[.]hagdahls[.]com
www[.]formenbau-jaeger[.]de
www[.]fabiancoutoxp[.]com[.]ar
www[.]cristianivanciu[.]ro
www[.]communityhalldp[.]org[.]uk
www[.]hoteladler[.]it
www[.]handekazanova[.]com
www[.]hccpa[.]com[.]tw
www[.]forumeuropeendebioethique[.]eu
www[.]cwa1037[.]org
www[.]edmondoberselli[.]net
www[.]ehiac[.]com
www[.]cljphotographyny[.]com
www[.]charismatrade[.]ro
www[.]commitment[.]co[.]at
www[.]giuseppedeluigi[.]com
www[.]esist[.]org
www[.]dischner-kartsport[.]de
www[.]espai30lasagrera[.]cat
www[.]kettlebellgie[.]be
www[.]frerecapucinbenin[.]org
www[.]adpm[.]com[.]br

The malicious link embedded into the fake page points to a .php resource. In turn, that component is responsible for delivering the malicious loader to victims by pulling a zip archive containing the js loader with the same name from the second level delivery network.

https:///about.php?kiaorsruvr=kdwpx&id=6d6563463546734e487841532f31306d374b77736274446b70356e505257655464736a59&ptfud=kyihnz&evhiqnglhuq=mtfcrj

The above URL reminds us of a typical webshell schema through which it’s possible to track campaigns and victims. Moreover, subsequent attempts to download the same file using the same URL from the same machine will fail. Each download attempt automatically generates a new URL. In fact, three different attempts from different IPs generate the following unique URLs:

Different IPs generate unique URLs

This substantiates the notion of a fully-automated assembly line process for malicious bundles.

Once the malicious js loader is delivered to the victim and executed through the wscript.exe process, it performs another request to one of the embedded domains belonging to the same 2nd level delivery network.

In the request, the loader passes a random-looking parameter (“?wmsyxqsucnsif=”) to the search.php component, assigning a value to it. The assigned value consists of a randomly generated numeric value followed by an ID that signals that the user is part of a domain.

The “?wmsyxqsucnsif=” query parameter changes for each analyzed dropper. By extracting a few of them, we noticed differences in length:

 	Iywoiqoagiqj 		Length: 12
	
	Ulxoflokgzjuj 		Length: 13
 	Xksrabkxexxje 		Length: 13
 	Ulxoflokgzjuj 		Length: 13
 	Frzlewezxuqra 		Length: 13
 	Wehzijrczmewt 		Length: 13
 	Fzwuidcgfwpid 		Length: 13
 	Xrplomnpnofoc 		Length: 13
 	Jrnfrcbxrmwnr 		Length: 13
 		
 	Zlurylnryiaupe 		Length: 14
 	Bhqtjmvrrnpttw 		Length: 14
 	Hmdfwcokgjutia 		Length: 14
 	
 	Btvhenvucpmtvpta 	Length: 16
 	Vzhnbqsvkxxndgem 	Length: 16
 	Mnxcmedoofhmjhob 	Length: 16
 	Olwakhzcqflqrbln 	Length: 16
 	
 	Ecteaaaqztxoqblrar 	Length: 18

We were able to populate at least five different clusters based on assigned lengths: 12, 13, 14, 16 and 18. A randomly generated, unique string is assigned to each loader. The query parameter, at this stage, may be used for download tracking or other purposes.

Delivery of the Final Payload

If the js loader succeeds in contacting the C2, then it retrieves an encoded PowerShell stager that in turn downloads the next payload and writes it to the registry as a list of keys. The js loader then deploys additional PowerShell responsible for loading and decoding the content hidden in the registry.

Base64 obfuscated PowerShell
Decoded PowerShell content
The additional PowerShell is responsible for extracting the payload from the registry, converting it from ascii into bytes through the chba() function then loading and executing it by reflection.
At this point, the code spawns the ImagingDevices.exe process and injects itself into it via process hollowing. As noted above, the injected payload varies between Cobalt Strike Beacons and various well-konwn malware families such as REvil and Kronos.
PowerShell execution chain

Analysis of the network communication allowed us to spot different network clusters revolving around the following IPs:

  • 23.106.122[.]245
  • 78.128.113[.]14
Network clusters

These two Cobalt Strike Team Servers now appear to serve Gootloader exclusively, however, there appears to be some infrastructure overlap on 78.128.113[.14]. This particular host has been observed as part of multiple Cobalt Strike-centric campaigns over the last several years. It is not possible to conclusively say that the same “actor” or “group” has been operating that infrastructure throughout the history of its misuse. That said, it is important to note that while campaigns have varied, this host has constantly been utilized to stage and serve CS Beacons and additional payloads, up to and including this ongoing Gootloader campaign. It is reasonable to assume given such history that the host is at least partially under control of an affiliate group.

Victimology

As evidenced by artifacts in the code, this ongoing Gootloader campaign is selective and targets users from enterprise environments. Extrapolating from the variety of languages used in various components of the campaign, we can surmise that the operators favored targets in Korean, German and English-speaking environments.

File names in different languages

The names of lures embedded into Gootloader samples also offer additional insights into the nature of the desired targets. For example, the artifact ‘besa_national_agreement_2021.js’ (SHA1: b0251c0b26c6541dd1d6d2cb511c4f500e2606ce) could suggest targets interested in components supplied by an Italian manufacturing company that produces security valves. Categorizing the loaders by their names, we can surmise targeted verticals:

Targeted industries

Interestingly, Korean loaders follow a different naming convention to that used for other languages. Rather than using company names or specific entities, they use a more generic naming scheme. This could indicate the presence of region-specific Gootloader operators with their own TTPs. It’s notable that despite not expressly targeting specific entities, these infections continue to check for users that are part of corporate domains.

NAME				TRANSLATION
유튜브_영상(egj).js 		YouTube_Video(egj).js
휴먼명조_폰트(fm).js (		Human Myeongjo_Font(fm).js
살육의_천사_게임(lep).js 		Slaughter_angel_game(lep).js
바코드생성프로그램(bo).js 		Barcode generation program (bo).js
웨스트월드_시즌2_2화(jbk).js 	West World_Season 2 Episode 2(jbk).js
스팀_게임_무료(wdb).js 		Steam_Game_Free(wdb).js

Conclusion

We analyzed an ongoing Gootloader campaign attempting to lure professionals and enterprise employees worldwide. The selective nature of this campaign, the option to deliver multiple payloads, as well as the utilization of Cobalt Strike leads us to believe that Gootloader is an ‘Initial Access as a Service’ provider primarily for ransomware operators.

This malicious operation is still active at the time of writing and we continue to expect future campaigns seeking additional targets and verticals. For that reason, we continue to actively monitor Gootloader as a means of distribution for the next strand of widespread ransomware.

IoCs Gootloader Q1 2021

MITRE TTPs

Js loader + powershell stage:
Initial Access (TA0001):

  • T1566 Phishing
  • T1566.002 Spear Phishing Link
  • T0817 Drive-by Compromise

Execution (TA0002):

  • T1059.007 Command and Scripting Interpreter: JavaScript
  • T1059.001 Command and Scripting Interpreter: Powershell
  • T1204.002 User Execution: Malicious File

Persistence (TA0003):

  • T1547.001 Boot or Logon Autostart Execution

Defence Evasion(TA0005):

  •  T1027 Obfuscated Files or Information

Privilege Escalation(TA0004):

  • T1055.012 Process Injection: Process Hollowing

URLs (Delivery Network):

  • www[.]hagdahls[.]com/search[.]php? |  /about[.]php?
  • www[.]hoteladler[.]it/search[.]php? |  /about[.]php?
  • www[.]handekazanova[.]com/search[.]php? |  /about[.]php?
  • www[.]hccpa[.]com[.]tw/search[.]php? |  /about[.]php?
  • www[.]hrgenius-uk[.]com/search[.]php? |  /about[.]php?
  • www[.]joseph-koenig-gymnasium[.]de/search[.]php? |  /about[.]php?
  • www[.]kartatatrzanska[.]pl/search[.]php? |  /about[.]php?
  • www[.]edmondoberselli[.]net/search[.]php? |  /about[.]php?
  • www[.]cwa1037[.]org/search[.]php? |  /about[.]php?
  • www[.]ehiac[.]com/search[.]php? |  /about[.]php?
  • www[.]cljphotographyny[.]com/search[.]php? |  /about[.]php?
  • www[.]charismatrade[.]ro/search[.]php? |  /about[.]php?
  • www[.]commitment[.]co[.]at/search[.]php? |  /about[.]php?
  • www[.]giuseppedeluigi[.]com/search[.]php? |  /about[.]php?
  • www[.]esist[.]org/search[.]php? |  /about[.]php?
  • www[.]dischner-kartsport[.]de/search[.]php? |  /about[.]php?
  • www[.]espai30lasagrera[.]cat/search[.]php? |  /about[.]php?
  • www[.]kettlebellgie[.]be/search[.]php? |  /about[.]php?
  • www[.]forumeuropeendebioethique[.]eu/search[.]php? |  /about[.]php?
  • www[.]frerecapucinbenin[.]org/search[.]php? |  /about[.]php?
  • www[.]formenbau-jaeger[.]de/search[.]php? |  /about[.]php?
  • www[.]fabiancoutoxp[.]com[.]ar/search[.]php? |  /about[.]php?

Cobalt C2

  • 78.128.113[.]14
  • 23.106.122[.]245

Network Communication

  • https://78.128.113[.]14/j.ad
  • https://78.128.113[.]14/ca
  • https://78.128.113[.]14/updates.rss
  • https://78.128.113[.]14/load
  • https://78.128.113[.]14/pixel.gif
  • https://23.106.122[.]245/pixel.gif
  • https://23.106.122[.]245/fwlink

YARA

https://github.com/sophoslabs/IoCs/blob/master/Troj-gootloader.yaraSHA1s and Lures

Over 900 SHA1 hashes identified as part of the Gootloader Q1 2021 campaign along with some of the most relevant lures and embedded URLs used for the delivery of the payloads:

https://github.com/SentineLabs/Gootloader-iocs-q1-2021

The post Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets appeared first on SentinelLabs.

  • There are no more articles
❌