惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

人人都是产品经理
人人都是产品经理
MyScale Blog
MyScale Blog
Y
Y Combinator Blog
罗磊的独立博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
P
Proofpoint News Feed
Google DeepMind News
Google DeepMind News
V
Vulnerabilities – Threatpost
T
The Blog of Author Tim Ferriss
云风的 BLOG
云风的 BLOG
Recorded Future
Recorded Future
N
News and Events Feed by Topic
B
Blog RSS Feed
阮一峰的网络日志
阮一峰的网络日志
博客园_首页
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 【当耐特】
N
Netflix TechBlog - Medium
博客园 - 叶小钗
B
Blog
Vercel News
Vercel News
T
Tenable Blog
T
The Exploit Database - CXSecurity.com
Spread Privacy
Spread Privacy
T
Threat Research - Cisco Blogs
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Last Week in AI
Last Week in AI
F
Fortinet All Blogs
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Microsoft Security Blog
Microsoft Security Blog
S
Securelist
Microsoft Azure Blog
Microsoft Azure Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
P
Palo Alto Networks Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
D
DataBreaches.Net
Cyberwarzone
Cyberwarzone
Engineering at Meta
Engineering at Meta
Martin Fowler
Martin Fowler
G
GRAHAM CLULEY
Project Zero
Project Zero
Cisco Talos Blog
Cisco Talos Blog
A
Arctic Wolf
C
CERT Recently Published Vulnerability Notes
L
LangChain Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
Check Point Blog
A
About on SuperTechFans
W
WeLiveSecurity
The GitHub Blog
The GitHub Blog

Jerome Segura – ThreatDown by Malwarebytes

WorkersDevBackdoor and MadMxShell converge in malvertising campaigns SmartApeSG walkthrough ClearFake walkthrough - ThreatDown by Malwarebytes Threat actors ride the hype for newly released Arc browser - ThreatDown by Malwarebytes A peek inside a malvertising campaign - ThreatDown by Malwarebytes FakeBat - ThreatDown by Malwarebytes Nitrogen - ThreatDown by Malwarebytes LockBit Black - ThreatDown by Malwarebytes Corporate users targeted via malicious ads and modals - ThreatDown by Malwarebytes
Gootloader walkthrough - ThreatDown by Malwarebytes
Jerome Segura · 2024-05-22 · via Jerome Segura – ThreatDown by Malwarebytes

Gootloader, tested on May 21, 2024

Distribution (SEO poisoning->fake forum->zip->.JS->PowerShell)

A large number of legitimate websites have been compromised and are being used by a threat actor to distribute Gootloader. The technique is known as search engine optimization (SEO) poisoning where victims search for specific keywords and get links to those compromised sites within the search results page (SERP). The malware is downloaded from a fake forum page and results in the execution of a script, followed by a call back to the command and control servers. Attackers can then deploy further tooling to exfiltrate data or perform any other action of their liking.

To replay the Gootloader chain, we start by crafting a search for the keyword ‘contract’:

We visit the top result and are immediately redirected to a decoy page that looks like a forum posting:

The lure is in the download link, supposedly from the site’s administrator. It’s worth noting that the same decoy template has been used for years and therefore is a good visual cue indicating a Gootloader compromise.

The download is a zip archive containing a single JavaScript file:

The threat actor uses obfuscation techniques and mixes malicious code with legitimate parts to hide the file’s intent:

Process flow

The first malicious script is responsible for creating persistence via the Task Scheduler. At logon, a second script located in a path under %appdata%\Roaming will be executed.

Finally, PowerShell is executed with attempts to connect to the threat actor’s command and control servers.

Summary

Network traffic

Process flow

wscript.exe "C:\Users\Admin\AppData\Local\Temp\call and put contracts 16318.js"
C:\Windows\system32\wscript.EXE GLOBAL~1.JS
"C:\Windows\System32\cscript.exe" "GLOBAL~1.JS"
powershell

Protection

ThreatDown EDR recorded the following events:

Malicious JavaScript

PowerShell execution

Mitigations

Gootloader continues to target corporate users by leveraging compromised websites that rank high in Google search results. The technique, known as SEO poisoning, is the first step in the infection chain which involves social engineering.

Script execution monitoring is critical to detecting initial access and stop the malware from calling back to its malicious infrastructure. Staying up to date with Gootloader’s C2 servers also enables organizations to prevent data exfiltration.

Did you like this walkthough? For more, check out our index page here.

Indicators of Compromise (IOCs)

Gootloader zip URL

clintkustoms[.]com/manual.php

Zip

Call_and_put_contracts_70199.zip
2efabb155d9d8fc56b5eb3dfdc83b3f3f9099a7c0bc87ff8f9b7550d587d5b35

Script

call and put contracts 16318.js
f8f3fa45eced0c32fbbf912f3f8ba6100a8b59e14f12a125c88340a47cf7e57b

Task scheduler script

GLOBAL~1.JS
a92381a403a1463b64ebc547de7ec2a4225a7755d23c4e56503582b9cb33c3c8

C2s

virdo[.]ir
shoreditchtownhall[.]com
spst[.]in
budgetvm[.]com
montebello6[.]se
sachverstaendiger-fenster[.]net
ashleyhomeonline[.]com
pureapks[.]xyz
ebtekarsteel[.]com
theclose[.]com