Introduction
Gootloader is a multi-staged malware package written in JavaScript that is used primarily as a loader for other second-stage payloads. Gootloader has historically been used to drop various RAT and info stealer secondary payloads, including Cobalt Strike and the Gootkit info stealer. Gootloader appears to be primarily operated by a single Threat Actor who function as an access broker, selling access to compromised environments to other Threat Actors. In late 2022, Gootloader operators executed a number of campaigns that incorporated SEO poisoning. This SEO poisoning aimed at boosting traffic to fake online internet forum posts that pointed to a ZIP file[1] containing trojanized JavaScript libraries. In the example analyzed in this article it was a jQuery library although other trojanized libraries have also been observed.
In this article, we will discuss analyze components of the Gootloader trojanized jQuery and show the difference between a clean jQuery and the trojanized version. We will also look into the infections chain associated with execution of the Gootloader script and discuss opportunities for detection. And finally, we will look into a couple of customer events that shows some Gootloader activity and how FortiEDR is able to effectively detect and mitigate this threat.
Attack Chain
Figure 1. Attack chain associated with Gootloader malware attack detected by FortiGuard Responder team
Execution Analysis
As highlighted in the above attack diagram the initial access vector for a Gootloader is through social engineering where the victim downloads a trojanized piece of software (as a ZIP file) from an online forum. In currently observed campaigns this is a trojanized JavaScript library. To improve the effectiveness of this lure the Gootloader performs SEO poisoning to increase traffic to the post and thus improve infection rate.
When the user executes the trojanized library the first stage loader spawns a wscript host process and then reaches out to external Gootloader C2 for the second stage payload. This second stage payload is also JavaScript and is executed inside the existing wscript process. This second stage payload loads a PowerShell loader ‘powershell.dll’ and an encoded Cobalt Strike beacon dll into the registry. A PowerShell process is then spawned by the hosting wscript process which loads modules from the powershell.dll dll stored in the registry which is used to decode and execute the Cobalt Strike beacon. Once executed the Cobalt Strike beacon reaches out to its own C2 completing the Gootloader infection.
A more detailed analysis of artifacts at each of these stages for a recent campaign is provided below along with associated detections/mitigations provided through the FortiEDR platform.
First Stage Loader
Ongoing campaigns are still using forum posts boosted by SEO poisoning to attract victims. The SEO poisoning boosts the standing of certain pages meaning they appear at the top of a search result when a potential victim looks for certain key words. In the case of recent campaigns these keywords appear to focus on providing information on contractual and investment terms such as ‘open book agreement’ and ‘forward purchase agreement’. When the victim enters these words into a Google search they may be led to a fake forum page with a post or comment that contains a link to download information such as the one shown below in Figure 2.
Figure 2. A screenshot of a Gootloader
When the user follows the link they will download a Zip file containing a JavaScript file. In a recent campaign this JavaScript, “what_is_an_open_book_agreement 67938.js”, is a trojanized version of the jQuery library. The original jQuery JavaScript library contains functions that are employed by various web browsers and web based applications. This trojanized version of the library contains components of the Gootloader executable code embedded in different sections throughout the original code. Embedding the malicious code throughout a legitimate Trojan file is a defense evasion technique (T1027.009 – Obfuscated Files or Information: Embedded Payloads) and may allow the .js file to pass a cursory static analysis.
The figure below shows a partial code comparison between the original jQuery file and the trojanized version. The functions SetGlobalEval and buildFragment are found in both versions of jQuery but in the infected version, another function, general3, is embedded between the original functions. General3 is one of many Gootloader functions embedded and scattered throughout the jQuery library.
Figure 3. Snapshot of the original jQuery code compared to the infected jQuery (first stage Gootloader).
The functions embedded within the trojanized jQuery library appear to be obfuscated with randomized function names and superfluous loops and intermediate counters. It was observed that most function and variable names end with numbers, such as “year1”, “seven6”, “eight5”, etc. Figure 4 shows some of the functions collected from the trojanized jQuery.
Figure 4. Some of the Gootloader functions embedded in the trojanized jQuery library
Browsing through the malware script embedded in the trojanized jQuery, we will find obfuscated strings that contain code used to download and execute the second stage of Gootloader (see Figure 5).
Figure 5. Obfuscated strings embedded in the trojanized jQuery library
After deobfuscating the strings in Figure 5, we will get another set of malware scripts with another layer of obfuscated strings as shown in Figure 6. The malicious script shown in Figure 6 still doesn’t clearly shows how the second stage will be downloaded. Another deobfuscation process is needed in order to better understand the code.
Figure 6. Another layer of obfuscated strings within the first stage loader.
After deobfuscating the script shown in Figure 6, we can finally see the script that downloads the second stage Gootloader payload. From Figure 7, we can see three domain names “www[.]lakelandartassociation[.]org", "www[.]lha[.]co[.]ke", and "www[.]lesriceysimports[.]com". These domains host the second stage Gootloader payloads. To complete these download URLS, “/test[.]php?nacokrnxvmzgxje=” should be added to each of the domains with a random number and the string “4173581”. Note that this was relevant for the analyzed campaign and will likely change for subsequent campaigns. It should also be noted that these appear to be legitimate domains that have been compromised and used to host Gootloader malware, this should be considered when applying blocks and blocks should apply to URLs rather than the entire compromised domains to avoid collateral blocking of legitimate traffic. An example of a complete link looks similar to: “https[:]//www[.]lakelandartassociation[.]org/test[.]php?nacokrnxvmzgxje=(random number)4173581”.
Figure 7. Deobfuscated script showing the three domain names used by analyzed Gootloader sample to download the second stage JavaScript payload
Using the Fortinet Central Threat System (CTS) shown in Figure 8, we can see that the above domains referenced in the first stage loader and used to retrieve the second stage are all tagged and Gootloader C2 in FortiGuard Labs Threat Intelligence database. This database is used to detect malicious network connections within observed traffic including traffic analyzed with FortiEDR.
Figure 8. Second stage Gootloader domains are all identified through FortiGuard Threat Intelligence. Screenshot taken from Fortinet Central Threat System.
Second Stage Loader
The second stage downloaded from the above URLs is another obfuscated JavaScript. Figure 9 below shows a snapshot of the second stage JavaScript where the variable “faomyixsilsq” contains an embedded Cobalt strike beacon dll, while the variable “ryxav” contains the powershell.dll. Also seen in this code are references to two registry paths which are described below.
Figure 9. Snapshot of second stage code showing the variable for Cobalt Strike beacon DLL, powershell.dll, and the registry keys that will hold the content of both DLLs
Figure 10 shows the content of the registry keys SOFTWARE\Microsoft\Phone\%USERNAME% and SOFTWARE\Microsoft\Phone\%USERNAME%0. In our test environment the username was ‘katniss’ resulting in the registry keys translating to SOFTWARE\Microsoft\Phone\katniss and SOFTWARE\Microsoft\Phone\katniss0, respectively.
The content of the powershell.dll is written to the “SOFTWARE\Microsoft\Phone\%USERNAME%0” key, while the Cobalt Strike beacon dll is written to the “SOFTWARE\Microsoft\Phone\%USERNAME%” key. The JavaScript RegWrite function is called from the second stage loader script to write these registry keys. As we can see in the figure that both dlls are split into blobs of 4000 characters placed as different data strings within the mentioned registry keys.
Figure 10. Registry keys that contains the powershell.dll and Cobalt Strike beacon dll
Main Payload
Once the registry keys containing them embedded dlls are written, the second stage loader executes an obfuscated PowerShell command that in turn reflectively loads and executes the dll stored in the SOFTWARE\Microsoft\Phone\%USERNAME%0 key (powershell.dll in the case of the analyzed sample). This obfuscated command can be extracted from the FortiEDR Forensics interface and is partially decoded in Figure 11 below and an annotated cleaned version of the decoded command in shown in Figure 12.
Figure 11. Decoded command line of the PowerShell command used to execute the powershell.dd payload stored in the registry by the second stage of the analyzed Gootloader sample. Decoded with CyberChef[2].
Figure 12. Deobfuscated and annotated version of the PowerShell command used to decode, load and execute the powershell.dll Gootloader payload stored in victim registry.
The reflective loading of the decoded dll is flagged by FortiEDR and generates a security event for In-memory Execution as part of the Execution Prevention policy. The In-memory executable is flagged as an ‘Unconfirmed Executable’ as the hash does not match any known signatures and ML engines in Fortinet Cloud Services determined that it has suspicious characteristics. The related security event can be seen in Figure 13 below.
Figure 13. Execution chain second stage of Gootloader. FortiEDR detects the reflective loading of the final Gootloader dll used to decode and execute the final Cobalt Strike payload from the registry.
Powershell.dll is a .NET dll that contains the function which is used to decode the final Cobalt Strike payload. We can use FortiEDR to dump the decoded dll from memory. A screenshot of the Test function within the Open class is provided in Figure 14 below.
Figure 14. Snapshot of the Open.Test() function within the “powershell.dll” loaded from the registry by the encoded PowerShell command in Figure 12.
Based on the information from the decoded PowerShell command (see Figure 12) we can see that this is the function called once the dll has been reflectively loaded. From the code above we can see that the purpose of this dll is to decode the main Cobalt Strike payload in the second registry key using a custom substitution method. The remainder of the powershell.dll code is a copy of the open source DynamicDllLoader code.
Customer Event #1
We have recently seen Gootloader activity in a number of our customer’s environments, two of which are outlined below. In the below event FortiEDR detected an event where it found a suspicious application attempting to connect to the C2 server with an IP address 146[.]70[.]53[.]152 (See Figure 15 below).
Figure 15. FortiEDR blocks the connection of a Cobalt Strike implant (loaded via Gootloader) to its C2. Prior Gootloader activity was not blocked in this environment due to poorly scoped exception but the layered defense prevented business impact.
Looking at the process, we can see a PowerShell process that tries to connect to the mentioned IP address. The PowerShell process loads and executes the Cobalt Strike beacon DLL that was initially added in a registry key SOFTWARE\Microsoft\Phone\%USERNAME%. The content of SOFTWARE\Microsoft\Phone\%USERNAME% was decoded by executing the powershell.dll which is found in another registry key, SOFTWARE\Microsoft\Phone\%USERNAME%0. The registry keys and their content are also discussed in the section above.
The difference between this process chain and the one for the sample outlined above is this one was triggered by a service hence the services -> svchost chain prior to the PowerShell. Analysis of the service in this instance identifies the task manager service indicating this PowerShell process was executed as part of a scheduled task.
Using the Fortinet Central Threat System (CTS) shown in Figure 16, we can see that the IP address 146[.]70[.]53[.]152, is tagged as “Cobalt Strike C2” and “Malware CnC”. Cobalt Strike C2 tag indicates that this IP has been associated with communications from previously observed Cobalt Strike beacons, while the Malware CnC tag indicates that the IP address has been associated with high confidence malware Command and Control behavior. It is recommended that customers block all communications to and from known Cobalt Strike C2 in corporate environments where possible. Threat intelligence including a maintained database of known malicious C2 like Cobalt Strike C2 is available through FortiGuard threat feeds.
Figure 16. Cobalt Strike C2 tagged in CTS system. This particular Cobalt Strike C2 was accessed via victims of a Gootloader campaign from September 2022 as highlighted above.
As part of the detection in Figure 15, FortiEDR also captures the command line argument containing the base64 PowerShell encoded command described in the above analysis section. The decoded PowerShell command is similar in structure to the previously outlined command but in this case the difference is the number in the beginning and end of the script as highlighted in the figure and the variables in every infection varies. The varying numbers and variable names in the script adds to the randomization of the code when encoded to base64.
Customer Event #2
A separate customer event where the process chain more closely aligns with the chain shown in the analysis in the first part of this report was observed in late October 2022. In this case the second unmapped executable, Cobalt Strike beacon dll, tries to connect to its C2 server. This attempted network connection was blocked by FortiEDR as shown in the FortiEDR security event below in Figure 17. Prior Gootloader activity was not blocked in this environment due to poorly scoped exception but the layered defense prevented business impact.
Figure 17. FortiEDR blocks the connection of a Cobalt Strike implant (loaded via Gootloader) to its C2.
In this event the Cobalt Strike C2 was through the URL “https[://]91[.]206.178.107/match”. Using the Fortinet Central Threat System (CTS) shown in Figure 18, we can see that the IP address 91[.]206[.]178[.]107, is also tagged as CobaltStrike C2 and Malware CnC like the previously identified samples.
Figure 18. Another Cobalt Strike C2 tagged in CTS system. This Cobalt Strike C2 was also accessed via victims of a Gootloader campaign from September 2022 as highlighted above.
Conclusion
The continued prevalence of Gootloader highlights the need for organizations to continue to monitor the execution of JavaScript within their networks. It also highlights the need to lock down applications, like wscript and PowerShell so they cannot be executed by standard users. In situations where this is not possible a modern EDR solution like FortiEDR will prevent malicious scripts, like those employed as part of this Gootloader campaign from connecting to C2. As demonstrated in several other KB articles on this site FortiEDR is also positioned to provide on-going protection from post-exploitation activity.
FortiEDR Threat Hunting telemetry can also be used to build additional detection methods to more quickly attribute observed activity to potential Gootloader activity to expedite analyst triage. Threat Hunting queries designed to assist with detecting Gootloader activity are shown below as are MITRE ATT&CK techniques involved with this activity and related observables, and IOCs related to observed activity.
Threat Hunting
This query will return all library loaded events for powershell.exe process where the target executable is powershell.dll. Powershell.dll is loaded and executed by PowerShell script to decode the Cobalt Strike beacon dll from the registry. There are no expected false positives associated with this activity.
Type: ("Library Loaded") AND Source.Process.Name: ("powershell.exe") AND Target.Executable.File.Name: ("powershell.dll")
This query will return process creation events where a wscript process with a parent process of explorer and a command line argument indicating it is running a script from the downloads director creates a PowerShell process. This is indicative of successful execution of the final stage Gootloader execution but will not detect variants that incorporate a scheduled task as part of the second stage execution. There may be false positives for applications that employ temporary .js files to support administrative task.
Type:"Process Creation" AND (Source.Process.Name:"wscript.exe" AND Source.Process.Parent.Path:"openwith.exe"AND Source.Process.CommandLine:"*Downloads*") AND (Target.Process.Name:"powershell.exe" OR Target.Process.Name:"pwsh.exe")
This query will return socket connect events related to network connections to known C2 associated with the analyzed Gootloader campaign. This is indicative of the various stages of infection as highlighted by the subtitles below. Note that this campaign occurred late last year and IOCs may not still be relevant, this query has been included so it can be used to look through historic data and for completeness.
Type:"Socket Connect" AND RemoteIP:("146.70.53.152" OR "146.70.29.237" OR "91.206.178.107")
MITRE ATT&CK
T1059 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1059.001 |
Command and Scripting Interpreter: PowerShell |
Gootloader malware uses PowerShell script to decode the content of the registry key to load and execute the .NET loader that serves as the final stage of infection (powershell.dll). |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1059.007 |
Command and Scripting Interpreter: JavaScript |
Gootloader malware uses JavaScript for the first and second stage of it’s execution. |
TA0005 - Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1140 |
Deobfuscate/Decode Files or Information |
Gootloader malware uses base64 encoding for its PowerShell script. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1112 |
Modify Registry |
Gootloader malware creates registry keys SOFTWARE\Microsoft\Phone\%USERNAME% and SOFTWARE\Microsoft\Phone\%USERNAME%0 to store the content of the powershell.dll and Cobalt strike beacon dll. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1027 |
Obfuscated Files or Information |
Gootloader malware uses base64 encoding for its PowerShell command. The content of the registry keys SOFTWARE\Microsoft\Phone\%USERNAME% and SOFTWARE\Microsoft\Phone\%USERNAME%0 and encoded files for powershell.dll and Cobalt strike beacon dll. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1027.009 |
Obfuscated Files or Information: Embedded Payloads |
Gootloader is embedded within trojanized versions of legitimate .js scripts, such as jQuery. This helps avoid detection from basic hash, entropy and cursory static analysis. |
TA0011 – Command and Control
|
Technique ID |
Technique Description |
Observed Activity |
|
T1071.001 |
Application Layer Protocol: Web Protocols |
Gootloader downloads second stage payload through a web request to Gootloader C2. In some observed intrusions (like the one analyzed in this article), Gootloader malware also launches the Cobalt Strike beacon which connects to its own C2. This connection to Cobalt Strike C2 is typically through a web request although Cobalt Strike has highly configurable C2 profiles. |
IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
GootLoader sample |
ba567300a0d29024be5e9915b70e51314a402da1 |
SHA1 Hash |
Installation |
Gootloader stage 1 JavaScript |
2022-05-12 |
|
GootLoader sample |
c368276a46647207ae5b8b2727a0e5d6766c667b |
SHA1 Hash |
Installation |
Gootloader stage 1 JavaScript |
2022-05-21 |
|
GootLoader sample |
1842f8b8ad9de3e4834256da580e86506e9ccaac |
SHA1 Hash |
Installation |
Gootloader stage 1 JavaScript |
2022-05-14 |
|
GootLoader sample |
538fe7831024cdd640c121694e46dbb4e2b2fab7 |
SHA1 Hash |
Installation |
Gootloader stage 2 JavaScript, writes powershell.dll and Cobalt Strike dll to registry |
2022-06-01 |
|
GootLoader sample |
998f260c15299aa0fbd6c673d75e02ef88555510 |
SHA1 Hash |
Installation |
Gootloader stage 2 JavaScript, writes powershell.dll and Cobalt Strike dll to registry |
2022-05-30 |
|
GootLoader sample |
ddfb10ef616a2a18baa25a8c25ac4f3e2b4a54f0 |
SHA1 Hash |
Installation |
Gootloader stage 2 JavaScript, writes powershell.dll and Cobalt Strike dll to registry |
2022-05-27 |
|
Cobalt Strike IP Address |
146[.]70[.]53[.]152 |
IP Address |
C2 |
Cobalt Strike C2 associated with Gootloader post-execution activity |
2022-05-24 |
|
Cobalt Strike IP Address |
146[.]70[.]29[.]237 |
IP Address |
C2 |
Cobalt Strike C2 associated with Gootloader post-execution activity |
2022-05-30 |
|
Cobalt Strike IP Address |
91[.]206[.]178[.]107 |
IP Address |
C2 |
Cobalt Strike C2 associated with Gootloader post-execution activity |
2022-10-25 |
|
Cobalt Strike URL |
91.206.178.107/match |
URL |
C2 |
Cobalt Strike C2 associated with Gootloader post-execution activity |
2022-10-26 |
|
Gootloader URL |
www[.]lakelandartassociation[.]org/test[.]php |
URL |
Installation |
URL hosting Gootloader second stage JavaScript |
2022-05-13 |
|
Gootloader URL |
www[.]lha[.]co[.]ke/test[.]php |
URL |
Installation |
URL hosting Gootloader second stage JavaScript |
2022-05-09 |
|
Gootloader URL |
www[.]lesriceysimports[.]com/test[.]php |
URL |
Installation |
URL hosting Gootloader second stage JavaScript |
2022-05-09 |
[1] https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader
