As soon as the cybercriminals behind REVil ransomware and Gootkit banking trojan fully exploited GootLoader, its primary payload evolved into an initial entry-point as a service platform, featuring data-stealing capabilities alongside the ability to deploy post-exploitation tools and ransomware.
GootLoader has gained notoriety for leveraging search engine poisoning techniques to facilitate initial infection. Cybercriminals often lure victims into installing malware by disguising harmful links or ads as legitimate offers, including instances where a seemingly official Google search result directs users to a compromised website hosting a malicious payload posing as a specific file. If undetected on the victim’s machine, the malware sets the stage for a second-stage payload referred to as GootKit, an extremely evasive data stealer and remote access Trojan (RAT) designed to establish a persistent foothold within the victim’s network environment. GootKit can then be leveraged to deploy ransomware or other tools, including Cobalt Strike, to facilitate follow-on exploitation.
Sophos X-Ops MDR recently uncovered a newly detected GootLoader variant, prompting an extensive threat hunting campaign across customer environments to mitigate the malicious actor’s activities earlier this year. Researchers uncovered a novel Gootloader variant leveraging SEO poisoning tactics to distribute its JavaScript-based payload by exploiting search results for specific terms. The malicious campaign targeted search queries such as “Are Bengal Cats legal in Australia?” to deliver the malware payload, showcasing the actors’ creative approach to evading detection.
During the menace hunt marketing campaign, MDR discovered a .zip archive used to deliver GootLoader’s initial payload while examining an affected individual’s browser history. This enabled MDR to set up a compromised website that served as a conduit for hosting the malicious payload online. This report provides a comprehensive overview of the MDR investigation’s methodology and reveals the technical details of the recently uncovered GootLoader malware campaign, which highlights its sophisticated tactics and techniques employed to evade detection.
Technical Evaluation and Identification
First-stage payload
On March 27, 2024, the MDR staff conducted a proactive threat hunting campaign across several prospects’ estates, in response to recently reported instances of a newly identified GootLoader variant being actively exploited in the wild?
A malicious actor exploited web optimization poisoning through a readily accessible online forum uncovered via a routine Google search triggered by the query “Do you want a license to own a Bengal cat in Australia”. The initial search result directed us to this webpage.
hxxps[://]ledabel[.]be/en/are-bengal-cats-legal-in-australia-understanding-the-laws-and-regulations/#:~:textual content=Eachpercent20statepercent20andpercent20territorypercent20in,topercent20keeppercent20thempercent20aspercent20pets.
Instantly after the person clicks the hyperlink, a suspicious .zip file was downloaded to C:Customers<Username>DownloadsAre_bengal_cats_legal_in_australia_33924.zip onto the sufferer’s machine, and the person’s browser was directed to the URL hxxps:[//]www[.]chanderbhushan[.]com/doc[.]php.
Second-stage payload
Upon evaluate of the operating processes, we had been in a position to decide {that a} small JavaScript file was dropping a big JavaScript file on the location C:Customers<Username>AppDataRoamingMicrosoft on the person’s machine. During testing, a distinct JavaScript file, produced by the malicious website and identified by its unique fingerprint, was consistently downloaded to the user’s temporary directory each time the initial script was executed. No changes made: SKIP
A scheduled job titled “Enterprise Aviation” was created, featuring the command-line script “wscript REHABI~1.JS”, as depicted in Figure 3. It was believed that this tactic involved persisting on the victim’s machine by utilizing WScript.exe to run the subsequent payload of GootKit malware.
Determinations 2: This log captures operating process details, including the execution of wscript.exe, which initiates the second stage through a scheduled job.
The command C:\Windows\System32\cscript.exe REHABILITATION_JSCRIPT.js spawns PowerShell.exe, as depicted in Figure 4. The cscript.exe command-line utility is limited to Windows Server environments. Instructions handed to PowerShell were not captured in this instance.
Determine 4: cscript //nologo “powershell.exe -command "Write-Host ‘Hello World!’; exit"”
Despite the URL’s history being analyzed, we observed PowerShell.exe interacting with adjacent domains, as depicted in Figure 5. The third-stage payload was identified.
In the specific instance investigated by the MDR team, it was noted that the third stage failed to achieve a comprehensive deployment of GootKit, thereby preventing the download of further malware components. During this stage, additional tools may be deployed, such as those from Cobalt Strike, or ransomware could be injected onto the victim’s machine.
Malware Triage
Static Evaluation
Malwarebytes Research carried out a static evaluation of the .zip pattern obtained from the malicious URL hxxps://ledabel.be/en/are-bengal-cats-legal-in-australia-understanding-the-laws-and-regulations/#:~:textual content=In%20most%20cases, you do not need permission to own a Bengal cat in Australia. The contents of the ZIP file included a JavaScript file named “are_bengal_cats_authorized_in_australia_72495.js”.
JavaScript’s identifier is dynamically renamed each time the file is retrieved, incorporating a distinct numeric suffix to ensure uniqueness. Upon reviewing the JavaScript code, it was observed that… Upon attempting to download a pattern from a suspicious URL, customers might inadvertently encounter a misleading filename like “Bengal Cats Authorized in Australia 75876.zip”.
Determine 6: When navigating to the website via Browserling’s sandboxed browser, six distinct outcomes arise upon clicking a maliciously linked URL.
The dropped file’s string evaluation proved unfruitful in determining its purpose, largely due to the heavily obfuscated JavaScript code—consistent with characteristics commonly found in Gootloader specimens. The script also incorporated boilerplate licensing information to give the appearance of an authentic JavaScript file, as depicted in Figure 7.
Nevertheless, Strings evaluation of the secondary bigger JavaScript that was downloaded into C:Customers<Username>AppDataRoamingNotepad++Small Unit Ways.js revealed a closely obfuscated script, as proven in Determine 8.
MDR employed static analysis on the initially downloaded script, Are_bengal_cats_legal_in_australia_72495.js. As demonstrated in Determine 9, the file was conclusively identified as a variant of Gootloader 3.0 through application of obfuscation methodologies; specifically, it was initially detected as Huthwaite SPIN promoting.dat, followed by Small Items Ways.js and Scheduled Activity named Destination Branding. The decoder was able to identify a range of malicious domains within the obfuscated strings.
Mandiant’s Python script, designed to automatically decode GootLoader’s JavaScript, successfully extracts the contents of the file “Are_bengal_cats_legal_in_australia_72495.js”, displaying its decoded output.
Dynamic evaluation
Determining the method `Monitor.CreateFile`’s occurrence when executing `WScript.exe` on running `Are_bengal_cats_legal_in_australia_72495.js`.
Various cutting-edge evaluation tools have been employed to scrutinize the behavior of the malicious JavaScript. Upon execution, WScript.exe was noticed creating the primary file situated inside C:Customers<Username>AppDataRoamingNotepad++ , as proven in Determine 10. A file was created without being written to disk, detected solely through Windows Sysinternals Process Monitor’s CreateFile event; no deletion event was observed.
Following the execution of Are_bengal_cats_legal_in_australia_72495.js by Wscript.exe, Hacker’s course revealed that CScript.exe and PowerShell.exe were concurrently created, accompanied by a conhost.exe process spawned, as demonstrated in Figure 11. When MDR observed the execution of Windows scripts, they noted that Wscript.exe terminated, followed by the rapid termination of Cscript.exe. Shortly thereafter, Powershell.exe came into being.
Through a scheduled job, the file SMALLU~1.js was executed using CScript.exe, with the command wscript SMALLU~1.js, as depicted in Figure 12. In the course of the lab evaluation, the secondary JavaScript may be dropped inside any folders situated inside C:Customers<Username>AppDataRoaming<at any present folder>.
During the course of our research, MDR conducted comprehensive community and C2 examinations using Wireshark to capture a network traffic seizure resulting from the execution of Are_bengal_cats_legal_in_australia_72495.js. Powershell.exe was used to initiate GET requests targeting diverse domains with the URL path /xmlrpc.php, as verified by FakeNet. The requests contained Base64-encoded cookies which, when decoded, confirmed enumeration data relating to system directories and host data such because the folder path of C:Customers<Username>AppDataRoaming , as proven in Determine 13. The proposed approach demonstrates the ability to learn and extract USERNAME and USER DOMAIN data, subsequently transmitting this information to predetermined URIs.
The examination of the PCAP seize list revealed a diverse range of domains that had been previously identified through static analysis, as depicted in Figure 14. Sophos Labs has categorised these domains and IOCs as malicious, specifically malware and callhome in nature; simultaneously, the associated JavaScript code is classified as JS/Drop-DIJ (initial) and JS/Gootkit-AW (secondary).
MITRE mapping
The next chart maps the noticed techniques to the MITRE ATT&CK® framework.
| Tactic | Method | Sub-Method | ID |
| Reconnaissance | |||
| Useful resource Growth | Stage Capabilities | Add Malware
Web optimization Poisoning |
T1608.001
T1608.006 |
| Preliminary Entry | Drive-by Compromise | T1189 | |
| Execution | Command and Scripting Interpreter | JavaScript | T1059.007 |
| Persistence | Scheduled Activity/Job | Scheduled Activity | T1053.005 |
| Privilege Escalation | |||
| Protection Evasion | Obfuscated Information or Data | Embedded Payloads | T1027.009 |
| Credential Entry | |||
| Discovery | System Data Discovery | T1082 | |
| Lateral Motion | |||
| Assortment | |||
| Command and Management | |||
| Exfiltration | Exfiltration Over Net Service | T1567 | |
| Impression |
Conclusion
GootLoader is a notorious malware-delivery-as-a-service operation, persistently leveraging search results to successfully target unsuspecting victims. The manipulation of search engine optimisation techniques to mislead users into downloading malicious software, including GootLoader since at least 2020, is a well-established practice, with Raccoon Stealer and other malware-as-a-service operations perpetuating this tactic for an equally extended period? Despite ongoing advancements in preliminary compromises, numerous massive initiatives have leveraged this system over the past year.
Sophos Endpoint Safety effectively neutralizes GootLoader through the synergy of advanced behavioral and malware-specific detection capabilities. While searching for Bengal cats, customers should remain vigilant for suspiciously appealing search results and advertisements that seem overly attractive on unconventional websites – regardless of their original intent.
Indicators of Compromise
An inventory of Indicators of Compromise (IOCs) is available for access as a CSV file within the Sophos GitHub repository.
