This week, Field Effect security intelligence analysts detected multiple incidents in which Gootloader malware was used in the targeting of organizations across several different industries. The attacks followed similar execution paths and our investigation continues to evolve as we uncover more details, including new attacker infrastructure.
Our investigation into these incidents allowed us to confirm prior intelligence related to the deployment of Gootloader, while also revealing new infrastructure associated with its post-exploitation activity, namely communication with remote hosts via HTTPS.
Originally tied to the GootKit banking trojan, Gootloader has become a pervasive threat of its own, often leveraged by threat actors to gain an initial foothold on targeted networks. This malware loader is known to compromise victims through search engine optimization (SEO) poisoning, which cleverly directs users searching for legitimate documents to compromised websites hosting malware masquerading as the desired document.
Once installed on an endpoint, Gootloader may download additional payloads that enable a wide range of malicious activities such as exfiltrating sensitive data or encrypting files for ransom.
Leveraging user trust in Google
Typically, the first thing people do when attempting to write a document for the first time is search for a relevant sample in Google. Gootloader takes advantage of this behavior by manipulating SEO to attract and entice users into clicking on malicious documents that have been cleverly inserted into legitimate websites hosting the types of samples the user is searching for.
In one case we observed, a user searched Google for “withdrawal from agreement sample,” which returned 44,500,000 hits. The first search result, of which Google displayed a lengthy snippet, is for the legitimate website of the NILS Japanese Language School (https://nilsjapan[.]com).
Image 1: Google search results for "sample letter of withdrawal from agreement"
Trusting in Google’s ability to return the most relevant results, the user clicked the link, which led to an online forum hosted at https://www.nilsjapan[.]com/faq/6697. There, the thread begins with a post from a user called “Emma Hill” asking for a sample withdrawal from agreement letter that a friend “had seen” on the forum.
The next post in the thread, made by a user named “Admin,” provides a link presumably to the sample withdrawal from agreement letter requested by Emma Hill. Several other posts show users giving thanks to Admin for posting the link, indicating “it’s exactly what they were looking for,” providing the link with a deeper sense of legitimacy.
Image 2: Forum showing the link to download the desired sample
At first glance, this seems like the perfect search result. However, upon closer inspection, it's evident that this forum is not what a user familiar with this website would expect to see on this page, as this forum content has been injected into the page, overwriting its existing content.
Looking into the HTML source code of this page at https://www.nilsjapan[.]com/faq/6697 reveals an unusual script reference:
<p><script type='text/javascript' src='https://www.nilsjapan[.]com/faq/?a53f674=5619269'></script></p>
When the page loads in a browser, this script tag loads obfuscated Javascript that is responsible for overwriting the legitimate content of this page with the fabricated forum posts. However, the script only executes the first time the page is loaded. The script does not execute for subsequent visits to the page and the original, legitimate content is displayed.
The link provided by the Admin user references an external URL, hxxps://4dgamers[.]com/manual[.]php, which hosts a .zip archive containing a Javascript file of the same name.
If a user clicks the malicious .js file in the Zip archive, WScript executes the script, and the first stage of Gootloader executes. After execution, a scheduled task named “EMC ControlCenter” is created and configured to execute another malicious .JS using WScript, out of the %USERPROFILE%\AppData\Roaming\AVAST Software\ directory. The execution of this script leverages CScript to launch PowerShell.
PowerShell is then used to establish connections with various remote systems. At this point, the Gootloader malware is now capable of downloading additional malicious payloads to the compromised system.
Conclusion
It would appear that Gootloader is a very prolific template maker. Our analysis has shown potential victims attempting to download additional malicious sample agreements for things such as “joint driveway access” and “employee housing”.
Identify, measure, and reduce your risk with a personalized attack surface report.
Our automated attack surface reports detect end-of-life software and operating systems, exposed devices and services, third-party risks & more.
Try it free
Field Effect also observed a malicious document named “difference between case law and statutory law” indicating Gootloader is trojanizing documents other than sample templates and a potential interest in targeting both real estate and law firms.
These incidents also show that Gootloader is incredibly adept at manipulating SEO to achieve its objectives. As mentioned above, Gootloader managed to get Google to display its malicious result as the very first out of 44,500,000 total hits.
Gootloader has zeroed in on a technique that plays on an aspect of human nature unlikely to change anytime soon. As long as the opportunity remains, Gootloader is likely to keep leveraging this technique to compromise victims and carry out further malicious activity.
Mitigation
Field Effect MDR users are automatically alerted when threat-related activity related to groups like Gootloader is detected in their environment. These AROs should be reviewed via the Field Effect Portal as soon as possible.
To lessen the impact of drive-by download campaigns like this one, Field Effect encourages users to:
- Keep your browser up to date;
- Configure anti-virus solutions to automatically scan files downloaded by browsers;
- Avoid visiting suspicious websites and adhere to any security notifications displayed by the browser (e.g. expired website certificates, unsecure connection, etc.); and
- Rely on official, reputable sources when downloading content such as templates and samples.
Indicators of Compromise
Remote Hosts Communicating via PowerShell:
83.243.40[.]10
188.240.191[.]77
198.54.120[.]161
46.4.197[.]237
104.21.80[.]147
109.239.56[.]185
197.189.243[.]212
192.0.78[.]167
52.42.122[.]102
99.83.190[.]102
44.242.99[.]40
192.0.78[.]228
172.67.223[.]182
54.68.171[.]176
104.21.41[.]169
54.39.18[.]111
178.57.221[.]220
185.78.220[.]22
93.94.230[.]71
77.105.36[.]53
113.36.242[.]230
172.67.222[.]28
213.186.33[.]17
104.21.2[.]233
172.67.129[.]203
104.21.78[.]132
172.67.191[.]188
Javascript files:
INTERN~1.JS
SEQUEN~1.JS
HOSPIT~1.JS
AMMON~1.JS
REQUIRE~1.JS
sample letter of withdrawal from agreement 98277.js
sample letter non renewal of contract for employee 84994.js
employee housing agreement sample 91568.js
difference between case law and statutory law 36052.js
Infrastructure hosting Gootloader:
51.38.85[.]129
hxxps://4dgamers.com/manual[.]php
Zip files containing malicious JavaScript:
1865d7f3-e1dd-4b7b-824e-a2521e232f60_Sample_letter_of_withdrawal_from_agreement_85531.zip.f60
af6b327-3588-4379-8771-4310d6f21192_Difference_between_case_law_and_statutory_law_6749.zip