惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

TaoSecurity Blog
TaoSecurity Blog
T
Troy Hunt's Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Vercel News
Vercel News
T
Threatpost
G
Google Developers Blog
T
Threat Research - Cisco Blogs
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
The Exploit Database - CXSecurity.com
H
Heimdal Security Blog
Google DeepMind News
Google DeepMind News
Cyberwarzone
Cyberwarzone
T
The Blog of Author Tim Ferriss
Know Your Adversary
Know Your Adversary
Hacker News: Ask HN
Hacker News: Ask HN
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Schneier on Security
B
Blog
V2EX - 技术
V2EX - 技术
NISL@THU
NISL@THU
C
CERT Recently Published Vulnerability Notes
W
WeLiveSecurity
C
Cybersecurity and Infrastructure Security Agency CISA
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Y
Y Combinator Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Spread Privacy
Spread Privacy
The Last Watchdog
The Last Watchdog
V
Vulnerabilities – Threatpost
N
Netflix TechBlog - Medium
Schneier on Security
Schneier on Security
F
Fortinet All Blogs
N
News | PayPal Newsroom
Attack and Defense Labs
Attack and Defense Labs
Blog — PlanetScale
Blog — PlanetScale
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Microsoft Security Blog
Microsoft Security Blog
S
Security @ Cisco Blogs
人人都是产品经理
人人都是产品经理
爱范儿
爱范儿
P
Privacy & Cybersecurity Law Blog
P
Proofpoint News Feed
Project Zero
Project Zero
I
Intezer
罗磊的独立博客
H
Hackread – Cybersecurity News, Data Breaches, AI and More
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园 - Franky
SecWiki News
SecWiki News
Martin Fowler
Martin Fowler

Jerome Segura – ThreatDown by Malwarebytes

WorkersDevBackdoor and MadMxShell converge in malvertising campaigns SmartApeSG walkthrough ClearFake walkthrough - ThreatDown by Malwarebytes Threat actors ride the hype for newly released Arc browser - ThreatDown by Malwarebytes A peek inside a malvertising campaign - ThreatDown by Malwarebytes FakeBat - ThreatDown by Malwarebytes Nitrogen - ThreatDown by Malwarebytes LockBit Black - ThreatDown by Malwarebytes Corporate users targeted via malicious ads and modals - ThreatDown by Malwarebytes
Gootloader walkthrough - ThreatDown by Malwarebytes
Jerome Segura · 2024-05-22 · via Jerome Segura – ThreatDown by Malwarebytes

Gootloader, tested on May 21, 2024

Distribution (SEO poisoning->fake forum->zip->.JS->PowerShell)

A large number of legitimate websites have been compromised and are being used by a threat actor to distribute Gootloader. The technique is known as search engine optimization (SEO) poisoning where victims search for specific keywords and get links to those compromised sites within the search results page (SERP). The malware is downloaded from a fake forum page and results in the execution of a script, followed by a call back to the command and control servers. Attackers can then deploy further tooling to exfiltrate data or perform any other action of their liking.

To replay the Gootloader chain, we start by crafting a search for the keyword ‘contract’:

We visit the top result and are immediately redirected to a decoy page that looks like a forum posting:

The lure is in the download link, supposedly from the site’s administrator. It’s worth noting that the same decoy template has been used for years and therefore is a good visual cue indicating a Gootloader compromise.

The download is a zip archive containing a single JavaScript file:

The threat actor uses obfuscation techniques and mixes malicious code with legitimate parts to hide the file’s intent:

Process flow

The first malicious script is responsible for creating persistence via the Task Scheduler. At logon, a second script located in a path under %appdata%\Roaming will be executed.

Finally, PowerShell is executed with attempts to connect to the threat actor’s command and control servers.

Summary

Network traffic

Process flow

wscript.exe "C:\Users\Admin\AppData\Local\Temp\call and put contracts 16318.js"
C:\Windows\system32\wscript.EXE GLOBAL~1.JS
"C:\Windows\System32\cscript.exe" "GLOBAL~1.JS"
powershell

Protection

ThreatDown EDR recorded the following events:

Malicious JavaScript

PowerShell execution

Mitigations

Gootloader continues to target corporate users by leveraging compromised websites that rank high in Google search results. The technique, known as SEO poisoning, is the first step in the infection chain which involves social engineering.

Script execution monitoring is critical to detecting initial access and stop the malware from calling back to its malicious infrastructure. Staying up to date with Gootloader’s C2 servers also enables organizations to prevent data exfiltration.

Did you like this walkthough? For more, check out our index page here.

Indicators of Compromise (IOCs)

Gootloader zip URL

clintkustoms[.]com/manual.php

Zip

Call_and_put_contracts_70199.zip
2efabb155d9d8fc56b5eb3dfdc83b3f3f9099a7c0bc87ff8f9b7550d587d5b35

Script

call and put contracts 16318.js
f8f3fa45eced0c32fbbf912f3f8ba6100a8b59e14f12a125c88340a47cf7e57b

Task scheduler script

GLOBAL~1.JS
a92381a403a1463b64ebc547de7ec2a4225a7755d23c4e56503582b9cb33c3c8

C2s

virdo[.]ir
shoreditchtownhall[.]com
spst[.]in
budgetvm[.]com
montebello6[.]se
sachverstaendiger-fenster[.]net
ashleyhomeonline[.]com
pureapks[.]xyz
ebtekarsteel[.]com
theclose[.]com