The cybercriminal gang behind the Gootkit Trojan is expanding its malware distribution activities and is improving its multi-stage distribution platform to deliver additional threats.
The loader now uses advanced techniques that include fileless execution, memory injection and components written in different programming languages.
Over the past several years many Trojans evolved into malware distribution platforms by entering partnerships with ransomware gangs or by developing their own ransomware. Some well-known relationships are TrickBot and Ryuk or Dridex and WastedLocker. Gootkit is no exception and followed a similar path.
More recently, security researchers have seen the first stage of Gootkit—the so-called loader component—being used to distribute the Kronos Trojan and Cobalt Strike, a commercial post-exploitation agent developed for penetration testing but increasingly adopted by cybercriminals.
Gootloader and search engine result poisoning
According to a report by researchers from antivirus vendor Sophos, the Gootkit loader, dubbed Gootloader, has seen many improvements recently. The malware typically lands on computers after users visit maliciously crafted web pages by following Google search results.
The hijacking of Google search results by using legitimate but compromised websites to game the ranking algorithm is not a new technique. A decade ago, it was called black hat search engine optimisation (BHSEO), but the Sophos researchers have now dubbed it search engine deoptimisation.
To achieve this, the attackers use a network of around 400 legitimate websites with good reputation and search ranking that have been compromised and had malicious code injected into them. They then use their control over those sites to push them high in the search results for specific queries. This is much easier to achieve than targeting generic or popular search terms.
Some examples of targeted search queries include: "Do I need a party wall agreement to sell my house," "intercompany agreement chart alberta," "employee retention bonus agreement template," "cisco wpa agreement," "columbia free trade agreement certificate of origin." The attackers also target search queries in German, Korean, and French.
The malicious code on the compromised websites serves content related to such terms to search engine robots that index them, even though the intended purpose and the original content on those websites has nothing to do with the targeted terms.
Once a search engine user clicks on a poisoned result, the code on the infected website checks their IP location, whether they came from Google based on their referrer header, their operating system version and language preference, and whether it's their first visit to the website.
If the attackers' intended criteria is met, the target sees a page that mimics a discussion forum where a supposed user asked a question related to their search query and then an administrator answered with a link. This fake page has versions in different languages and users see the one that corresponds to their location.
The name of the .js file is the same as the user's search query, so different victims receive differently named files. This and the use of a fake message board where an alleged administrator responds to a question about the topic the user was interested in shows that the attackers are well versed in social engineering tactics.
Multi-stage fileless execution
The attackers went to great lengths to obfuscate the malicious code inside Gootloader .js file to complicate detection and manual analysis. If executed successfully, the file downloads a secondary payload from a command-and-control server and loads it directly in memory.
This second-stage component contains a blob of encoded data that it writes to the system registry. It then creates a Windows scheduled task that decodes the registry data and executes it as PowerShell code when the system is rebooted. This is part of the malware's persistence mechanism and does not involve files stored on the file system itself.
The PowerShell payload executed at system restart downloads additional payloads that are also stored in the registry as data. One of them is a C# executable and another is a .NET executable whose data in registry is obfuscated using a substitution cipher.
The purpose of .NET loader is to drop yet another loader written in Delphi that then drops the final payload—Gootkit, REvil, Kronos or Cobalt Strike. However, the execution of the Delphi loader is not straightforward.
First, the .NET loader launches a benign application called ImagingDevices.exe, an innocent system component installed by default on Windows, or another benign application called the Embarcadero External Translation Manager that is digitally signed by its publisher.
Once one of these benign applications are loaded in memory, the loader uses a technique known as process hollowing techniques to replace their memory contents with those of the malicious Delphi loader.
"A criminal, ultimately, is just trying to buy a few minutes-to-hours of time remaining undetected to permit the attack to proceed without interference from endpoint protection software," the Sophos researchers said. "Instead of actively attacking the endpoint tools, as some malware distributors do, the creators of Gootloader have traded the more aggressive approach for a technique that’s closer to a massive setup of dominoes that conceal the end result."
That said, there are multiple opportunities to detect and block the attack during the infection chain, starting with enabling Windows to show file extensions and teaching users not to execute .js files.
Security solutions that detect malicious behaviour rather than relying fully on file signatures can also catch some of the components at different stages, like the scheduled task or the unusual registry entries. Sophos has also published indicators of compromise on GitHub.