Gootloader

Gootloader is a Javascript-based infection framework that has been used since at least 2020 as a delivery method for the Gootkit banking trojan, Cobalt Strike, REvil, and others. Gootloader operates on an "Initial Access as a Service" model and has leveraged SEO Poisoning to provide access to entities in multiple sectors worldwide including financial, military, automotive, pharmaceutical, and energy.[1][2]

ID: S1138
Type: MALWARE
Platforms: Windows
Contributors: Pooja Natarajan, NEC Corporation India
Version: 1.0
Created: 28 May 2024
Last Modified: 19 June 2024

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Gootloader can create an autorun entry for a PowerShell script to run at reboot.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Gootloader can use an encoded PowerShell stager to write to the Registry for persistence.[1][2]

.007 Command and Scripting Interpreter: JavaScript

Gootloader can execute a Javascript file for initial infection.[1][2]

Enterprise T1584 .001 Compromise Infrastructure: Domains

Gootloader has used compromised legitimate domains to as a delivery network for malicious payloads.[2]

.006 Compromise Infrastructure: Web Services

Gootloader can insert malicious scripts to compromise vulnerable content management systems (CMS).[2]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Gootloader can retrieve a Base64 encoded stager from C2.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Gootloader has the ability to decode and decrypt malicious payloads prior to execution.[1][2]

Enterprise T1105 Ingress Tool Transfer

Gootloader can fetch second stage code from hardcoded web domains.[1][2]

Enterprise T1027 Obfuscated Files or Information

The Gootloader first stage script is obfuscated using random alpha numeric strings.[1][2]

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Gootloader can determine if a targeted system is part of an Active Directory domain by expanding the %USERDNSDOMAIN% environment variable.[2]

Enterprise T1055 .002 Process Injection: Portable Executable Injection

Gootloader can use its own PE loader to execute payloads in memory.[1]

.012 Process Injection: Process Hollowing

Gootloader can inject its Delphi executable into ImagingDevices.exe using a process hollowing technique.[1][2]

Enterprise T1082 System Information Discovery

Gootloader can inspect the User-Agent string in GET request header information to determine the operating system of targeted systems.[1]

Enterprise T1614 System Location Discovery

Gootloader can use IP geolocation to determine if the person browsing to a compromised site is within a targeted territory such as the US, Canada, Germany, and South Korea.[2]

.001 System Language Discovery

Gootloader can determine if a victim's computer is running an operating system with specific language preferences.[1]

Enterprise T1016 System Network Configuration Discovery

Gootloader can use an embedded script to check the IP address of potential victims visiting compromised websites.[2]

Enterprise T1204 .001 User Execution: Malicious Link

Gootloader has been executed through malicious links presented to users as internet search results.[1][2]

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

Gootloader can designate a sleep period of more than 22 seconds between stages of infection.[1]

References