Recently, we’ve seen a noticeable surge in malware cases linked to a malicious payload delivery system known as Gootloader. The group behind this malware is believed to operate a malware-as-a-service operation, exclusively providing a malware delivery service for other threat actors.
This malware has gained notoriety due to its exploitation of compromised WordPress sites for malware distribution and its utilization of SEO (Search Engine Optimization) poisoning techniques to achieve high rankings in web search results.
Particularly concerning is the fact that a significant portion of these cases involves law firms.
Figure 1. Gootloader malware investigations by industry
In this blog, we discuss why Gootloader has become very effective, and we will deep dive into its inner workings and shed light on the tactics employed by the operators behind it.
The initial vector of this attack utilizes a technique called Search Engine Optimization (SEO) poisoning to lure victims into downloading the malicious payload.
Typically, it all starts with a seemingly harmless search for supply agreement documents that lead to the compromised WordPress webpages controlled by Gootloader actors:
Figure 2. Example of a search query that leads to a SEO poisoned webpage
We collected a bunch of search queries that lead to the compromised websites and identified the keywords utilized by this malware group, revealing a predominant SEO keyword focus on legal documents such as “agreements”, “contracts”, and “forms”. This watering hole strategy theme appears to be successful - most cases we receive related to this malware are from our clients in law offices and legal firms.
These are some of the SEO search terms utilized in this campaign. While the majority of the keywords are in English, the campaign also targets the French, Spanish, Portuguese, German, and South Korean languages.
Figure 3. Samples of search keywords that leads to Gootloader infected websites
Figure 4. The word cloud displays the most frequently used terms in this campaign mostly related to legal agreements and other law/legal inquiries.
When visiting a poisoned link from the search engine result, the user will be directed to a page that mimics a forum. This fake forum page employs social engineering tactics to entice the user to click on a direct download link for the desired document file.
Figure 5. An overlay page is rendered that mimics a forum with the exact topic the user searched for. The deceptive tactic aims to lure the user into clicking the link without realizing its true malicious nature.
As the compromised WordPress website is under the control of malicious actors, a cloaking mechanism is employed to prevent loading for non-target users like security researchers, and other prying eyes. The server-side PHP script checks a set of conditions, including that:
- The user's IP address has not previously visited the website.
- The visitor has not logged into the website's WordPress login page.
- The IP address geolocation indicates that the visitor is from specific countries, such as the USA, Australia, Canada, and other English-speaking countries. It also targets users from countries like South Korea and Germany.
- The user's browser is running on a Windows operating system.
- The visitor is not identified as a bot crawler.
- The visitor should be referred by the search engine.
When a non-target user visits the page, a fake blog entry will be loaded to give the appearance of benign content.
Figure 6. Benign blog content is shown when a non-target user visits the page.
When the user clicks on the download link within the fake forum, they are redirected to another WordPress webpage, typically identified by the PHP path ‘download.php,’ which is also controlled by the attacker. The visitor’s information is similarly checked, and when the conditions are satisfied, a ZIP file will be provided for download. The filename of the ZIP file is derived from the user’s search keyword.
Figure 10. Downloaded ZIP file
Gootloader’s Execution Flow Overview
Before we explore the intricate mechanisms of Gootloader, the following diagram presents an overview of its attack flow.
Figure 12. Overview of the Gootloader’s attack flow
Hiding the Malicious Code
Figure 13. Obfuscated strings dispersed throughout the code.
Figure 14. The strings are concatenated into one block of code then undergoes a decoding routine before it executes it.
Figure 15. By concatenating the individual string chunks, a single encoded string blob is formed.
To decode the encoded blob of string, we can follow this procedure:
- Firstly, we extract all the characters at even positions and concatenate them to form a string. This resulting string is then reversed, representing the first half of the decoded Jscript code.
- Next, we gather all the characters at odd positions, join them to create another string, and append it to the previously obtained first half of the code.
The following Python code below provides an approach to decode the string:
Figure 16. Python code snippet to decode the string
We have also written a CyberChef operation called “Gootloader Decode” that can decode this encoded string blob, and then we can decode it with the CyberChef recipe as shown in the screenshot below. You can download our CyberChef fork from here: https://github.com/drole/CyberChef
Figure 17. Our Gootloader decode Cyberchef operation and recipe to decode the strings
Installation and Persistence
Breaking down the script, the key steps are:
- First it checks if the drop file does not already exist in a determined subfolder within %appdata%.
- If the drop file doesn't exist, it creates a text file handle and opens the file in write mode.
- The payload script is then written to the drop file.
- Random character padding is generated and written to the end of the file - this will bloat the file size to approximately 40 MB.
- The drop file's name is set to the JS file name (in this example Oracle Coherence.js).
- A new scheduled task is created using a predefined task name “Anger Management”.
- Task settings start availability is set to true and visibility is configured to hide.
- A trigger is set upon user login.
- An action is created for the task, specifying the dropped script to run.
- The new task is registered with the scheduled task root folder.
- The scheduled task is retrieved by name.
- The scheduled task is executed.
The malware employs a semi-randomized strategy to select a subfolder within the Application Data (%APPDATA%) directory for dropping the malicious file. It begins by enumerating the subfolders present in the %APPDATA% folder. Then, it utilizes a formula that relies on the total number of subfolders to determine the appropriate target subfolder. In this particular malware sample, the calculation involved is as follows:
The resulting value of the index is used to identify the target subfolder within which the malware file will be placed.
For this instance, if there are 10 subfolders within the infected machine’s %Appdata% directory, the following calculation is performed:
The folder index result is 1, indicating that the payload will be dropped in the second subfolder within the %Appdata% directory, as counting starts from zero as the base number.
PowerShell Reconnaissance and Stager
The conditions are as follows:
- If the script is running with cscript, the PowerShell command is executed using the WScript.shell object.
- If the script is running with wscript, the command runs the cscript.exe executable. It includes arguments for the script's full name and path. The script is opened with the "open" parameter, while the window is hidden.
The PowerShell script enters a loop where it sleeps for 20 seconds between iterations. Within this loop, it randomly selects a URL from a predefined list of URLs to connect to.
Figure 19. List of URLs hardcoded in the script
Before establishing the connection, the script collects system information, including:
- Environment paths
- Windows OS version
- Running process names
- Titles of all open windows
- List of Windows desktop items and files
- Disk information and disk space usage
To gather this information, the script utilizes the WMI (Windows Management Instrumentation) and “gps” (Get-Process) PowerShell commands.
Each piece of collected information is compressed using GZIP and then encoded with Base64. The stolen information is then sent to the URL via the HTTP Cookie header.
A user-agent is also added in the HTTP header:
The PowerShell script anticipates a response from the remote hosts containing additional PowerShell code that is then executed on the local system.
Second Stage PowerShells
Once a successful connection is established with the attacker-controlled host, subsequent PowerShell commands are executed. The specific PowerShell commands invoked in this context will depend on the configuration set by the Gootloader service clients. As Gootloader operates as malware-as-a-service, the exact nature of the PowerShell commands may vary depending on the preferences chosen by Gootloader’s clients.
Here are the post infection PowerShell codes that we encountered:
- Job Receiver: A PowerShell script that waits and receives other PowerShell script jobs from the attacker. Results from these jobs are exfiltrated back to the attacker.
- Network Scanner: A PowerShell script that conducts network scans and fingerprinting of the local network, specifically examining if SMB (Server Message Block) and Windows Remote Management are open.
- Remote Command Execution: This PowerShell script establishes a TCP connection with a predetermined host. It sets up a network stream for reading and writing, allowing the infected host to receive commands from the remote host. The script executes the received commands locally on the infected host and sends the results back to the attacker.
Gootloader's SEO poisoning watering hole technique targeting legal-related search terms represents a significant threat to organizations or even individuals, seeking legal information online. By manipulating search engine results and luring unsuspecting users to compromised websites, Gootloader takes advantage of users' trust in search results to deliver malicious payloads.
We have also delved into various aspects of Gootloader’s mechanism and examined the techniques employed by the actors behind it. A noteworthy aspect employed by this attack is the clever implementation of the cloaking mechanism. As it only loads and presents the fake forum to target users, this technique is a challenge for security researchers to detect and identify it. In addition to these, Gootloader also uses obfuscation in every stage of the attack adding layers of complexity.
File Name Hash Type Hashes
technical services and spares supply agreement 35528.js SHA256
File Name Hash Type Hashes
technical services and spares supply agreement 35528.zip SHA256
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/22.214.171.124 Safari/537.36