A common entry point for Cobalt Strike into enterprises, Gootloader made significant changes to its execution flow in 2022.Pairs with this song
Gootloader’s operators use a little drop of SEO poison to lure victims into downloading a malicious ZIP archive. Symptoms of a Gootloader infection might include Tom Waits-levels of rasp in your voice.
Gootloader is a JScript-based malware family that typically leverages SEO poisoning and compromised websites to lure victims into downloading a ZIP archive that poses as a document that the user has searched for. While we observed Gootloader detections in customer environments across multiple sectors in 2022, they almost always happened after victims accessed compromised websites that claimed to offer information on contracts or other legal or financial documents. Victims were likely directed to these sites after initiating queries in common search engines with keywords such as “agreement,” “contract,” and the names of various financial institutions. Given the volume of Gootloader detections and the range of victims, this threat is likely more opportunistic than targeted to a specific industry or organization. Accordingly, Gootloader remains a threat to all organizations.
Upon execution, Gootloader identifies whether the affected system is connected to an Active Directory domain before deploying multiple stages of JScript and PowerShell payloads that may eventually lead to threats such as Cobalt Strike, Gootkit, Osiris, or Sodinokibi ransomware. Unremoved Gootloader infections have a strong possibility of leading to larger-scale incidents resulting in data theft or ransomware.
Readers of past Threat Detection Reports may recall that we previously tracked Gootloader together with the related Gootkit payload. While Gootloader sometimes delivers Gootkit as a payload, we began distinguishing the two in 2022 because we observed Gootloader sometimes delivered alternative payloads to Gootkit, such as Cobalt Strike, and often did not deliver a second-stage payload at all.
Adversaries using Gootloader in 2022 followed a consistent execution pattern, using
wscript.exe and PowerShell command lines until around November, when they significantly changed multiple stages to use different Windows Registry keys for storage, a different process hierarchy, and more discovery commands. Some adversaries included
cscript.exe for JScript execution instead of
wscript.exe at some stages. This change enabled the adversary to spawn PowerShell without a command line to pipe in commands for execution via a StdIn stream. For more details, check out our blog from May (updated in November), which covers Gootloader activity in more depth.
To mitigate risks associated with the malicious JScript files used by Gootloader operators, we recommend preventing automatic execution of JScript files. You can do this by changing the default file associations for
To remove Gootloader components, stop any malicious instances of
powershell.exe. Remove any malicious scheduled tasks for the victim user to remediate persistence on the host. If any payloads were stored within the Windows Registry or on disk, attempt to remove those payloads for full remediation. Examples of these registry keys include:
Windows Scripting Host executing JScript files
Victims nearly always download Gootloader samples inside a ZIP archive distributed by an adversary. The most common initial execution pattern is for the victim to double click on the ZIP archive and execute the JScript file within. This produces a command line similar to:
WScript.exe "C:\Users\[redacted]\AppData\Local\Temp\Temp1_simple_agreement_for_future_equity_9891.zip\simple agreement for future equity 95886.js"
This pattern is also seen across other script-based threats distributed within ZIP archives. To detect this entire class of threat, you can start with this logic and tune:
process == 'wscript.exe' && command_includes (‘/(?i)appdata\\.*\.js’)
Note: the asterisk signifies that we’re not looking for any particular filename.
Windows Scripting Host executing JScript files with MS-DOS short names
During execution, the Gootloader samples copy one stage to disk and persistently execute it using
cscript.exe. During this procedure, the
cscript.exe command line references the malicious script using an 8.3 short filename, which is an uncommon pattern. This produces a command line similar to:
To detect this threat you can start with this logic and tune:
process == 'cscript.exe' && command_includes '~1.js'
You can test detection capabilities by modifying and executing tests for T1059.007 using Atomic Red Team. The tests will need customization using script paths that match those of Gootloader scripts.