{"id":25429,"date":"2024-11-06T05:20:54","date_gmt":"2024-11-06T13:20:54","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/11\/06\/news-19159\/"},"modified":"2024-11-06T05:20:54","modified_gmt":"2024-11-06T13:20:54","slug":"news-19159","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/11\/06\/news-19159\/","title":{"rendered":"Bengal cat lovers in Australia get psspsspss\u2019d in Google-driven Gootloader campaign"},"content":{"rendered":"

Credit to Author: gallagherseanm| Date: Wed, 06 Nov 2024 11:30:41 +0000<\/strong><\/p>\n

\n

Once used exclusively by the cybercriminals behind REVil ransomware and the Gootkit banking trojan, GootLoader and its primary payload have evolved into an initial access as a service platform\u2014with Gootkit providing information stealing capabilities as well as the capability to deploy post-exploitation tools and ransomware.<\/p>\n

GootLoader is known for using search engine optimization (SEO) poisoning for its initial access. Victims are often enticed into clicking on malicious adware or links disguised as legitimate marketing, or in this case a legitimate Google search directing the user to a compromised website hosting a malicious payload masquerading as the desired file. If the malware remains undetected on the victim\u2019s machine, it makes way for a second-stage payload known as GootKit, which is a highly evasive info stealer and remote access Trojan (RAT) used to establish a persistent foothold in the victim’s network environment.\u00a0 GootKit can be used to deploy ransomware or other tools, including Cobalt Strike, for follow-on exploitation.<\/p>\n

Detection of a new GootLoader variant actively being used by adversaries earlier this year led to a broad threat hunting campaign by Sophos X-Ops MDR for GootLoader instances across customer environments. As is typical of Gootloader, the new variant was found to be using SEO poisoning\u2014the use of search engine optimization tactics to put malicious websites controlled by GootLoader’s operators high in the results for specific search terms\u2014to deliver the new, JavaScript-based Gootloader package.\u00a0 In this case, we found the GootLoader actors using search results for information about a particular cat and a particular geography being used to deliver the payload: “Are Bengal Cats legal in Australia?”<\/p>\n

During the threat hunt campaign, MDR discovered a .zip archive used to deliver\u00a0 GootLoader’s first-stage payload while reviewing an impacted user’s browser history. This allowed MDR to identify the compromised website that was hosting the malicious payload. This report highlights the MDR investigation process and the technical details of the uncovered GootLoader campaign.<\/p>\n

Technical Analysis and Identification<\/h2>\n

First-stage payload<\/h3>\n

On March 27, 2024, the MDR team performed a proactive threat hunting campaign across multiple customers estates, following recently reported identification of a new GootLoader variant being actively exploited in the wild.<\/p>\n

Our investigation revealed the threat actor was using SEO poisoning through an easily accessed online forum found via a simple Google search, initiated by the user for ‘Do you need a license to own a Bengal cat in Australia’. The first search result took us to this URL:<\/p>\n

 hxxps[:\/\/]ledabel[.]be\/en\/are-bengal-cats-legal-in-australia-understanding-the-laws-and-regulations\/#:~:text=Each%20state%20and%20territory%20in,to%20keep%20them%20as%20pets.<\/pre>\n
Immediately after the user clicks the link, a suspicious .zip file was downloaded to C:Users<Username>DownloadsAre_bengal_cats_legal_in_australia_33924.zip onto the victim’s machine, and the user’s browser was directed to the URL\u00a0 hxxps:[\/\/]www[.]chanderbhushan[.]com\/doc[.]php.<\/p>\n
\"Figure<\/a>
Figure 1: An SEO-poisoned site hosting a malicious .zip file<\/figcaption><\/figure>\n
Second-stage payload<\/h3>\n
Upon review of the running processes, we were able to determine that a small JavaScript file was dropping a large JavaScript file at the location C:Users<Username>AppDataRoamingMicrosoft on the user\u2019s machine. During our testing, the large JavaScript file generated by the malicious site and its name, downloaded to the user’s %temp% directory, were different each time the initial JavaScript was executed. The file we observed in this case was named Temp1_Are_bengal_cats_legal_in_australia_33924.zipare_bengal_cats_legal_in_australia_80872.js.<\/p>\n
We additionally observed the creation of a scheduled task named “Business Aviation” with the command line “wscript REHABI~1.JS” (as shown in Figure 3). This was suspected to be a persistence method in which the threat actor was utilizing WScript.exe to execute the second-stage payload of GootKit.<\/p>\n
\"Figure<\/a>
Figure 2: A log of running processes, including the execution of wscript.exe to launch the second stage via a scheduled task.<\/figcaption><\/figure>\n
\"Figure<\/a>
Figure 3: A scheduled task is created to launch the second stage JavaScript.<\/figcaption><\/figure>\n
We also noted the utilization of the command C:WindowsSystem32cscript.exe REHABI~1.JS spawning PowerShell.exe, as shown in Figure 4. The cscript.exe command line tool is specific to Windows Server. The commands passed to PowerShell were not captured in this case.<\/p>\n
\"Figure<\/a>
Figure 4: A PowerShell command line spawned by CScript<\/figcaption><\/figure>\n
However, examining the URL history, we observed PowerShell.exe reaching out to the following domains, as shown in Figure 5.\u00a0Third-stage payload<\/p>\n
In the case the MDR team examined, our team did not observe the third stage being successful in reaching a full deployment of GootKit, preventing the download of any additional malicious tooling. This stage typically is where the deployment of additional tools such as Cobalt Strike occurs, or when ransomware is added to the victim\u2019s machine.<\/p>\n
Malware Triage<\/h2>\n
Static Analysis<\/h3>\n
MDR performed a static analysis of the of the .zip sample obtained from the malicious URL hxxps[:\/\/]ledabel[.]be\/en\/are-bengal-cats-legal-in-australia-understanding-the-laws-and-regulations\/#:~:text=In%20most%20cases%2C%20you%20do,a%20Bengal%20cat%20in%20Australia. Within the zip file was a JavaScript named “are bengal cats legal in australia 72495.js”.<\/p>\n
As we noted above, the JavaScript’s name is modified each time the file is downloaded with a different concluding numerical sequence. This was also observed when extracting the small JavaScript from the zip file, as shown in Figure 6. For example, users may observe a filename with are bengal cats legal in australia 75876.zip instead, when attempting to obtain a sample from the malicious URL.<\/p>\n
\"Figure<\/a>
Figure 6:\u00a0 Sandboxed browser (Browserling) results when accessing the website and clicking on the malicious hyperlinked URL<\/figcaption><\/figure>\n
A string analysis of the dropped file was not useful in identifying its intent, as the JavaScript was heavily obfuscated\u2014as is common in Gootloader samples. The script also included boilerplate licensing comments to make it appear to be a legitimate JavaScript, as shown in Figure 7.<\/p>\n
\"Figure<\/a>
Figure 7: The Strings output of are bengal cats legal in australia 72495.js<\/figcaption><\/figure>\n
However, Strings analysis of the secondary larger JavaScript that was downloaded into C:Users<Username>AppDataRoamingNotepad++Small Unit Tactics.js revealed a heavily obfuscated script, as shown in Figure 8.<\/p>\n
\"\"<\/a>
Figure 8: The Strings output of C:Users\\AppDataRoamingNotepad++Small Unit Tactics.js<\/figcaption><\/figure>\n
MDR used a Python script created by Mandiant for auto-decoding of GootLoader JavaScript<\/a> to statically analyze the initially downloaded Are_bengal_cats_legal_in_australia_72495.js. As shown in Figure 9, the file was identified as Gootloader variant 3.0 through the obfuscation method, where the first file created was named Huthwaite SPIN selling.dat followed by Small Units Tactics.js and Scheduled Task named Destination Branding. The decoder also identified various malicious domain names within the obfuscated strings.<\/p>\n
\"Figure<\/a>
Figure 9:\u00a0 Mandiant\u2019s python script for auto-decoding GootLoader\u2019s JavaScript\u00a0 displays the output of Are_bengal_cats_legal_in_australia_72495.js<\/figcaption><\/figure>\n
Dynamic analysis<\/h3>\n
\"Figure<\/a>
Figure 10: The process Monitor CreateFile event for WScript.exe upon execution of Are_bengal_cats_legal_in_australia_72495.js<\/figcaption><\/figure>\n
Various dynamic analysis tools were utilized to examine the behavior of the malicious JavaScript. Upon execution, WScript.exe was observed creating the first file located within C:Users<Username>AppDataRoamingNotepad++ , as shown in Figure 10. Despite being observed via Windows Sysinternals Process Monitor with a CreateFile event, this was not written to disk and no deletion event was seen.\u00a0
 <\/i><\/p>\n
Shortly after Wscript.exe executed Are_bengal_cats_legal_in_australia_72495.js, Process Hacker showed CScript.exe and Powershell.exe being created with a conhost.exe spawned, as shown in Figure 11. MDR observed that Wscript.exe would terminate, followed by Cscript.exe that would also terminate shortly after, after which Powershell.exe was created.<\/p>\n
\"Figure<\/a>
Figure 11: Process behavior observed within Source Forge’s Process Hacker<\/figcaption><\/figure>\n
Persistence was obtained via CScript.exe executing the file SMALLU~1.js via a scheduled task named Destination Branding (with command line wscript SMALLU ~1.js , as shown in Figure 12). During the lab analysis, the secondary JavaScript can be dropped within any folders located within C:Users<Username>AppDataRoaming<at any existing folder>.<\/p>\n
\"Figure<\/a>
Figure 12: Process Hacker process properties and Scheduled Task creation\u00a0(click to enlarge)<\/figcaption><\/figure>\n
MDR\u00a0 conducted network and C2 examinations using Wireshark and FakeNet<\/a> to perform a network capture during the execution of Are_bengal_cats_legal_in_australia_72495.js. FakeNet showed various domain names being reached out to with GET \/xmlrpc.php HTTP\/1.1 requests via Powershell.exe. The requests contained Base64-encoded cookies which, when decoded, showed enumeration information regarding device directories and host information such as the folder path of C:Users<Username>AppDataRoaming , as shown in Figure 13. As shown below, the process would read USERNAME and USER DOMAIN information and send the data to the URIs.<\/p>\n