Gootloader
Gootloader is a Javascript-based infection framework that has been used since at least 2020 as a delivery method for the Gootkit banking trojan, Cobalt Strike, REvil, and others. Gootloader operates on an "Initial Access as a Service" model and has leveraged SEO Poisoning to provide access to entities in multiple sectors worldwide including financial, military, automotive, pharmaceutical, and energy.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Gootloader can create an autorun entry for a PowerShell script to run at reboot.[1] |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Gootloader can use an encoded PowerShell stager to write to the Registry for persistence.[1][2] |
| .007 | Command and Scripting Interpreter: JavaScript |
Gootloader can execute a Javascript file for initial infection.[1][2] |
||
| Enterprise | T1584 | .001 | Compromise Infrastructure: Domains |
Gootloader has used compromised legitimate domains to as a delivery network for malicious payloads.[2] |
| .006 | Compromise Infrastructure: Web Services |
Gootloader can insert malicious scripts to compromise vulnerable content management systems (CMS).[2] |
||
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Gootloader can retrieve a Base64 encoded stager from C2.[2] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Gootloader has the ability to decode and decrypt malicious payloads prior to execution.[1][2] |
|
| Enterprise | T1105 | Ingress Tool Transfer |
Gootloader can fetch second stage code from hardcoded web domains.[1][2] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
The Gootloader first stage script is obfuscated using random alpha numeric strings.[1][2] |
|
| Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
Gootloader can determine if a targeted system is part of an Active Directory domain by expanding the %USERDNSDOMAIN% environment variable.[2] |
| Enterprise | T1055 | .002 | Process Injection: Portable Executable Injection |
Gootloader can use its own PE loader to execute payloads in memory.[1] |
| .012 | Process Injection: Process Hollowing |
Gootloader can inject its Delphi executable into ImagingDevices.exe using a process hollowing technique.[1][2] |
||
| Enterprise | T1082 | System Information Discovery |
Gootloader can inspect the User-Agent string in GET request header information to determine the operating system of targeted systems.[1] |
|
| Enterprise | T1614 | System Location Discovery |
Gootloader can use IP geolocation to determine if the person browsing to a compromised site is within a targeted territory such as the US, Canada, Germany, and South Korea.[2] |
|
| .001 | System Language Discovery |
Gootloader can determine if a victim's computer is running an operating system with specific language preferences.[1] |
||
| Enterprise | T1016 | System Network Configuration Discovery |
Gootloader can use an embedded script to check the IP address of potential victims visiting compromised websites.[2] |
|
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
Gootloader has been executed through malicious links presented to users as internet search results.[1][2] |
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Gootloader can designate a sleep period of more than 22 seconds between stages of infection.[1] |