Introduction:
This report is going to go over the GootLoader malware in detail. It’s been wrecking havoc since 2020 and it’s time we put an end to it. In this threat bulletin, look at all its signature tactics, techniques, and procedures (TTPs). We’ll also be diving into the new ways it gets around.
Upgrades and new threat vector:
This thing doesn’t just stop at one trick, it keeps evolving. The first thing they did was change the initial Stager 1 component to make detection even harder. Now they’re throwing obfuscation and code shuffling into the mix to render open-source decoding tools useless.
Preventive measures:
To defend against the likes of GootLoader organizations should consider a multi-faceted approach. This includes URL analysis, using decoy files, analyzing client-server payload profiles, employing file hashing, searching file contents with pattern matching, setting system configuration permissions, monitoring process spawn analysis, and filtering network traffic. By doing this organizations can avoid falling victim to these threats.
Indicators of compromise (IOCs):
Stager 1 (ZIP):
Hash:
- 568eeaab68afe15f420fcdc4ac5174dfae9cb1b56b365ddf0951dee35f916dff
Stager 1 (JavaScript):
Hash:
- 1bc77b013c83b5b075c3d3c403da330178477843fc2d8326d90e495a61fbb01f
Stager 2 (Post May 2022):
Hashes:
- 640d75d1f3ef23a65c5554b1e86281abbc14e62ee878fda119ce0be910526438
- e4f452c452695ef4dd61042d77ec9dfa6a803a3ef82878b66b0b08780350efa6 6c4bc6376afa8933e2556c688ec911642bcd86d44120cdd69240f0197fa08b9f
Payload (Powershell.dll):
Hashes:
- f1b33735dfd1007ce9174fdb0ba17bd4a36eee45fadcda49c71d7e86e3d4a434
- f9093510dda650e214fbf48060a645136053ab1525919ead95c63915be06931c
- abd2ce37c207b5d24fe39e56ca6688dda8ce63532400216a13e1735e49b03050
- 17a02009a19067b34651efe7a5c98ed1d7a110d794cc1ab1af8bd288207b0836
- 2fcd6a4fd1215facea1fe1a503953e79b7a1cedc4d4320e6ab12461eb45dde30
- b7c880252ed3ebf9a11fcdff5186008ee59785c17a68861511fe5116cbe2ab79
- 15645d983a3a31e1c3cfe651f2ce5613939f221b2ebeee2a1e2f1aa2ecf94c29
- 338fe8dc488962ca3a44c297cc457999be5ba61d4268e8289b8abd69893447e3
- 796c5fdd403ea0c247e062b0e206e03cbce62561c00bf0e28b7465125375a996
- 7c170097ded546d1bbd3d4550e26a4cb3e78629f37469b4c28a97a576be43c03
Payload (Cobalt Strike Beacon):
Hash:
- 0258da19a8fa78a824bd2b43f36ffbb61cb8f7571971a1360cc2933175f27b4a
Registry key adds:
- SOFTWARE\Microsoft\Phone%Username%
- SOFTWARE\Microsoft\Phone%Username%0
Conclusion :
Gootloader represents a strong and developing threat that includes SEO poisoning and advanced malware deployment. Its ability to adapt and evade, this malware becomes a reason to set up proactive security. Organizations should be vigilant refine their SIEM rules, and deploy a variety of prevention methods to protect against Gootloader and similar threats.