Gootloader: Why your Legal Document Search May End in Misery

Introduction

Recently, we’ve seen a noticeable surge in malware cases linked to a malicious payload delivery system known as Gootloader. The group behind this malware is believed to operate a malware-as-a-service operation, exclusively providing a malware delivery service for other threat actors.

This malware has gained notoriety due to its exploitation of compromised WordPress sites for malware distribution and its utilization of SEO (Search Engine Optimization) poisoning techniques to achieve high rankings in web search results.

Particularly concerning is the fact that a significant portion of these cases involves  law firms.

Figure 1. Gootloader malware investigations by industry

In this blog, we discuss why Gootloader has become very effective, and we will deep dive into its inner workings and shed light on the tactics employed by the operators behind it.

SEO poisoning

The initial vector of this attack utilizes a technique called Search Engine Optimization (SEO) poisoning to lure victims into downloading the malicious payload.

Typically, it all starts with a seemingly harmless search for supply agreement documents that lead to the compromised WordPress webpages controlled by Gootloader actors:

Figure 2. Example of a search query that leads to a SEO poisoned webpage

We collected a bunch of search queries that lead to the compromised websites and identified the keywords utilized by this malware group, revealing a predominant SEO keyword focus on legal documents such as “agreements”, “contracts”, and  “forms”. This watering hole strategy theme appears to be successful - most cases we receive related to this malware are from our clients in law offices and legal firms.

These are some of the SEO search terms utilized in this campaign. While the majority of the keywords are in English, the campaign also targets the French, Spanish, Portuguese, German, and South Korean languages.

Figure 3. Samples of search keywords that leads to Gootloader infected websites

Figure 4. The word cloud displays the most frequently used terms in this campaign mostly related to legal agreements and other law/legal inquiries.

When visiting a poisoned link from the search engine result, the user will be directed to a page that mimics a forum. This fake forum page employs social engineering tactics to entice the user to click on a direct download link for the desired document file.

Figure 5. An overlay page is rendered that mimics a forum with the exact topic the user searched for. The deceptive tactic aims to lure the user into clicking the link without realizing its true malicious nature.

As the compromised WordPress website is under the control of malicious actors, a cloaking mechanism is employed to prevent loading for non-target users like security researchers, and other prying eyes. The server-side PHP script checks a set of conditions, including that:

• The user's IP address has not previously visited the website.
• The visitor has not logged into the website's WordPress login page.
• The IP address geolocation indicates that the visitor is from specific countries, such as the USA, Australia, Canada, and other English-speaking countries. It also targets users from countries like South Korea and Germany.
• The user's browser is running on a Windows operating system.
• The visitor is not identified as a bot crawler.
• The visitor should be referred by the search engine.

When a non-target user visits the page, a fake blog entry will be loaded to give the appearance of benign content.

Figure 6. Benign blog content is shown when a non-target user visits the page.

Upon inspecting the page's source, it becomes evident that an external JavaScript is being loaded. This obfuscated JavaScript is responsible for overlaying the fake forum page once the visitor's conditions are fulfilled.

Figure 7. An external Javascript is loaded, which is dynamically generated by a PHP code on the server side. This particular Javascript is responsible for overlaying a fake forum.

As shown in Figure 7, the URL parameter for the external JavaScript generally adheres to a recognizable query string pattern. It begins with a key that starts with "?a" followed by six hexadecimal characters, an equal sign, and a value comprising of six to seven digits.

Figure 8. Few examples of the injected JavaScript URL we extracted from other compromised WordPress webpages

Figure 9. The JavaScript is designed to generate an HTML page that simulates a forum and overlay it when specific visitor conditions are fulfilled. This JavaScript is obfuscated to avoid detection.

When the user clicks on the download link within the fake forum, they are redirected to another WordPress webpage, typically identified by the PHP path ‘download.php,’ which is also controlled by the attacker. The visitor’s information is similarly checked, and when the conditions are satisfied, a ZIP file will be provided for download. The filename of the ZIP file is derived from the user’s search keyword.

Figure 10. Downloaded ZIP file

The ZIP file however does not contain the intended file that the user was expecting. Instead, it conceals a malicious .JS file, cleverly hidden within a legitimate JavaScript library. For instance, the screenshot below shows an instance where malicious code has been injected into the trustworthy JavaScript framework known as Material Design Lite.

Figure 11. Comparison of the legitimate and trojanized JavaScript library

Gootloader’s Execution Flow Overview

Before we explore the intricate mechanisms of Gootloader, the following diagram presents an overview of its attack flow.

Figure 12. Overview of the Gootloader’s attack flow

Hiding the Malicious Code

The JavaScript file found within the downloaded ZIP file acts as an installer and launcher for subsequent payload scripts. It leverages a legitimate open-source JavaScript library to mask the presence of malicious code, which is chunked and dispersed throughout the legitimate library in numerous fragments of obfuscated strings. In the end, a specific function is responsible for gathering all these string chunks, combining them, deobfuscating the concealed code and executing it.

Figure 13. Obfuscated strings dispersed throughout the code.

Figure 14. The strings are concatenated into one block of code then undergoes a decoding routine before it executes it.

Figure 15. By concatenating the individual string chunks, a single encoded string blob is formed.

To decode the encoded blob of string, we can follow this procedure:

• Firstly, we extract all the characters at even positions and concatenate them to form a string. This resulting string is then reversed, representing the first half of the decoded Jscript code.
• Next, we gather all the characters at odd positions, join them to create another string, and append it to the previously obtained first half of the code.

The following Python code below provides an approach to decode the string:

Figure 16. Python code snippet to decode the string

We have also written a CyberChef operation called “Gootloader Decode” that can decode this encoded string blob, and then we can decode it with the CyberChef recipe as shown in the screenshot below. You can download our CyberChef fork from here: https://github.com/drole/CyberChef

Figure 17. Our Gootloader decode Cyberchef operation and recipe to decode the strings

Installation and Persistence

Upon decoding the first stage of JavaScript, the hidden code reveals the installation of malware, its persistence mechanisms, and the execution of subsequent scripts.

Figure 18. Deobfuscated and beautified initial stage of JavaScript code.

Breaking down the script, the key steps are:

1. First it checks if the drop file does not already exist in a determined subfolder within %appdata%.
2. If the drop file doesn't exist, it creates a text file handle and opens the file in write mode.
3. The payload script is then written to the drop file.
4. Random character padding is generated and written to the end of the file - this will bloat the file size to approximately 40 MB.
5. The drop file's name is set to the JS file name (in this example Oracle Coherence.js).
6. A new scheduled task is created using a predefined task name “Anger Management”.
7. Task settings start availability is set to true and visibility is configured to hide.
8. A trigger is set upon user login.
9. An action is created for the task, specifying the dropped script to run.
10. The new task is registered with the scheduled task root folder.
11. The scheduled task is retrieved by name.
12. The scheduled task is executed.

The malware employs a semi-randomized strategy to select a subfolder within the Application Data (%APPDATA%) directory for dropping the malicious file. It begins by enumerating the subfolders present in the %APPDATA% folder. Then, it utilizes a formula that relies on the total number of subfolders to determine the appropriate target subfolder. In this particular malware sample, the calculation involved is as follows:

The resulting value of the index is used to identify the target subfolder within which the malware file will be placed.

For this instance, if there are 10 subfolders within the infected machine’s %Appdata% directory, the following calculation is performed:

The folder index result is 1, indicating that the payload will be dropped in the second subfolder within the %Appdata% directory, as counting starts from zero as the base number.

PowerShell Reconnaissance and Stager

After the JavaScript file is dropped, the attack proceeds to execute a PowerShell command. This command is included within the dropped JS file itself. The code contains a hardcoded PowerShell snippet that is executed based on whether the script is running with ‘cscript’ or ‘wscript’.

The conditions are as follows:

• If the script is running with cscript, the PowerShell command is executed using the WScript.shell object.
• If the script is running with wscript, the command runs the cscript.exe executable. It includes arguments for the script's full name and path. The script is opened with the "open" parameter, while the window is hidden.

The PowerShell script enters a loop where it sleeps for 20 seconds between iterations. Within this loop, it randomly selects a URL from a predefined list of URLs to connect to.

Figure 19. List of URLs hardcoded in the script

Before establishing the connection, the script collects system information, including:

• Environment paths
• Windows OS version
• Running process names
• Titles of all open windows
• List of Windows desktop items and files
• Disk information and disk space usage

To gather this information, the script utilizes the WMI (Windows Management Instrumentation) and “gps” (Get-Process) PowerShell commands.

Each piece of collected information is compressed using GZIP and then encoded with Base64. The stolen information is then sent to the URL via the HTTP Cookie header.

A user-agent is also added in the HTTP header:

The PowerShell script anticipates a response from the remote hosts containing additional PowerShell code that is then executed on the local system.

Second Stage PowerShells

Once a successful connection is established with the attacker-controlled host, subsequent PowerShell commands are executed. The specific PowerShell commands invoked in this context will depend on the configuration set by the Gootloader service clients. As Gootloader operates as malware-as-a-service, the exact nature of the PowerShell commands may vary depending on the preferences chosen by Gootloader’s clients.

Here are the post infection PowerShell codes that we encountered:

1. Job Receiver: A PowerShell script that waits and receives other PowerShell script jobs from the attacker. Results from these jobs are exfiltrated back to the attacker.
2. Network Scanner: A PowerShell script that conducts network scans and fingerprinting of the local network, specifically examining if SMB (Server Message Block) and Windows Remote Management are open.
3. Remote Command Execution: This PowerShell script establishes a TCP connection with a predetermined host. It sets up a network stream for reading and writing, allowing the infected host to receive commands from the remote host. The script executes the received commands locally on the infected host and sends the results back to the attacker.

Wrapping up

Gootloader's SEO poisoning watering hole technique targeting legal-related search terms represents a significant threat to organizations or even individuals, seeking legal information online. By manipulating search engine results and luring unsuspecting users to compromised websites, Gootloader takes advantage of users' trust in search results to deliver malicious payloads.

We have also delved into various aspects of Gootloader’s mechanism and examined the techniques employed by the actors behind it. A noteworthy aspect employed by this attack is the clever implementation of the cloaking mechanism. As it only loads and presents the fake forum to target users, this technique is a challenge for security researchers to detect and identify it. In addition to these, Gootloader also uses obfuscation in every stage of the attack adding layers of complexity. 

IoCs

File Name            Hash Type           Hashes

technical services and spares supply agreement 35528.js SHA256

                0afe27f33637dbb8c7aea69e1cb91b4eace2a0840bb819e30ab089221fb35d36

                SHA1     d812feccb9172dd0ecc6190f025f0a3f17208379

                MD5      96cf6b2e9e27db0c03b06fbc06b81854

File Name            Hash Type           Hashes

technical services and spares supply agreement 35528.zip             SHA256

                5bdc36838cfae33bbcc027be7e70228fb76d35828d1a21b8b53f2413598634e0

                SHA1     ae4c425e8139dba850bcf978f6e889d10df45a7a

                MD5      799f0f4b22c273bbe07790e7fa8c0c68

URLs:

https://projectspace.org.hk/technical-services-and-spares-supply-agreement/

https://projectspace.org.hk/?a96fc4b=1976965

https://drachtstercompagnie.frl/download.php

https://druczki.pl/download.php

https://camtel.cosavostra.com/xmlrpc.php

https://civpro.io/xmlrpc.php

https://construtoraconarte.com.br/xmlrpc.php

https://bqrc.es/xmlrpc.php

https://healthforcesuperfoods.com/xmlrpc.php

https://tangibleinvestmentsinc.com/xmlrpc.php

https://mixzote.com/xmlrpc.php

https://savealot.com/xmlrpc.php

https://cartoongoodies.com/xmlrpc.php

https://organizingengagement.org/xmlrpc.php

https://cargillfeed.com.vn/xmlrpc.php

https://fidgettoyskopen.nl/xmlrpc.php

https://blackwoolholiday.com/?a720f8d=1373769

https://themasterpiececollection.com/?a2229be=4703335

https://projectspace.org.hk/?a96fc4b=1573747

https://stelizabethcarlisle.com/?a252a96=2053315

https://zlatazimovets.com/?ab0be3b=105129

https://zhangyiou.cn/?ad62686=1893329

https://zetorzsolti.hu/?a8f7196=1932151

http://www.usraslots.com/wordpress/?a820faa=1772155

http://www.venuesfor21stbirthdayparty.com/?aaba9b9=672485

http://fliesenschneider-test.net/?a8fc282=1236940

http://10dim-giann.pel.sch.gr/?a1ceef3=260967

User-Agent:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36