IBM X-Force discovered a new variant of Gootloader — the “GootBot” implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims’ search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP. This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads.

Previously, Gootloader was only observed as an initial access malware, after which attackers would load tools like CobaltStrike or use RDP to spread within the network. Campaigns leveraging GootBot for lateral movement constitute a significant change in post-infection TTPs, as this custom tool enables threat actors to stay under the radar for a longer period. GootBot is downloaded as a payload after a Gootloader infection and has the capability to receive C2 tasks in the form of encrypted PowerShell scripts, which are run as jobs. Unlike Gootloader, GootBot is a lightweight obfuscated PS script, containing only a single C2 server. GootBot implants, each of which contains a different C2 server running on a hacked WordPress site, spread throughout infected enterprise domains in large numbers in hopes of reaching a domain controller. At the time of writing, GootBot has no detections listed on VirusTotal. This shift in TTPs and tooling heightens the risk of successful post-exploitation stages, such as Gootloader-linked ransomware affiliate activity.

Key Findings

  • The Gootloader group created a novel tool for C2 and lateral movement dubbed GootBot, which is being used in lieu of other traditional post-exploitation frameworks such as CobaltStrike.
  • Currently observed campaigns leverage SEO-poisoned searches for themes such as contracts, legal forms, or other business-related documents, directing victims to compromised sites designed to look like legitimate forums where they are tricked into downloading the initial payload as an archive file.
  • After an infection, large amounts of GootBot implants are disseminated throughout corporate environments with each containing a different hardcoded C2 server, making it difficult to block.
  • At the time of writing, GootBot implants maintain zero AV detections on VirusTotal, enabling it to spread stealthily.
  • Gootloader has served as an initial access provider and successful infections have been known to lead to ransomware.

Background

The Gootloader group, which X-Force tracks as Hive0127 (aka UNC2565), has been active since 2014 and relies on a combination of SEO poisoning and compromised WordPress sites to deliver Gootloader. Gootloader infections provide initial access for other threat actors, including ransomware affiliates, and attacks have led to follow-on payloads such as IcedID, Cobalt Strike, and SystemBC.

X-Force observed the group leveraging SEO poisoning as part of its malicious campaigns, which is a method that threat actors use to manipulate search engine results in order to drive users to compromised websites based on the notion that a search engine’s first results are likely to be accurate, safe and legitimate. Hive0127 typically targets online searches for contracts, legal forms or other business-related documents; for example: “Is a closing statement the same as a grand contract?”. Targets are served a compromised website modified to appear as a legitimate forum at the top of the poisoned search engine results page. Within the forum conversation, the targets are then tricked into downloading an archive file related to their initial search terms, but which actually contains Gootloader.

Analysis

Infection diagram

The following graph is an example of how Gootloader may employ GootBot to spread throughout a network. The analysis sections below detail the different stages of infection:

Initial access via Gootloader

Gootloader infections start with a user downloading an infected archive, containing a significantly obfuscated JavaScript file, which is Gootloader’s first stage. Upon execution, it drops another JavaScript file in a selected subfolder under the %APPDATA% folder with an unobtrusive English filename. Gootloader does not create a new folder in %APPDATA% but rather selects one that already exists. This selection is not random but calculated based on the number of subfolders that are found in the %APPDATA% folder.  It is calculated as follows:

722 – (Round down(722 / number_of_subfolders) * number_of_subfolders)

Scroll to view full table

Instead of running the second stage directly, Gootloader triggers a scheduled task to run the JavaScript as well as make it persistent.

The scheduled task has the following parameters:

Name:  <Random English words>

Action:  wscript <short file name of 2nd stage ending with “~1.JS”>

Folder:  [Subfolder in %APPDATA%]

Trigger:  LogonTriggerID [At the next log on of the current user]

Scroll to view full table

Once the second stage JavaScript executes, it runs a PowerShell script and the third stage, which gathers system information and uploads it to any of its 10 hardcoded C2 servers. Gootloader uses hacked WordPress sites to run their C2 servers, leading to C2 URL paths ending with “/xmlrpc.php”.

Below is an example of an HTTP request from the malware.

The User-Agent is consistent as well as the presumed malware ID, 3B47772CE3.

The malware expects the C2 to respond with data that contains a PowerShell script that Gootloader executes.

The third stage PowerShell script runs in an endless loop giving the actor the ability to make the C2 respond with varying PowerShell payloads.

GootBot

One of the payloads X-Force observed is GootBot, a new variant of Gootloader. It features very similar capabilities but comes in the form of a lightweight PowerShell script. Unlike the stage 3 PowerShell script, GootBot only contains a single C2 server address.

GootBot’s strings are slightly obfuscated via a replacement key, as seen in the screenshot below:

Similar to Gootloader, the bot starts by sending a GET request to its C2 server, requesting PowerShell tasks. The first beacon has the following HTTP headers added by the malware:

GET /xmlrpc.php HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36

Cookie: <BOT_ID>=<If user is admin: 0/1>

Pragma: no-cache

Cache-Control: no-cache, no-store

Expires: 0

Scroll to view full table

As a response, GootBot expects a string consisting of a Base64-encoded payload, and the last 8 characters being the task name. It then decodes the payload and injects it into a simple scriptblock before executing it in a new background job using the “Start-Job” Cmdlet. This allows the PowerShell payload to be run asynchronously and without creating a child process, potentially resulting in less EDR detections.

The following screenshot shows the deobfuscated code running the C2 task.

By default, GootBot beacons out every 60 seconds, however, this can be changed by setting a specific string containing “asz” to the child jobs’ information attribute. The same applies to the working directory path, which can be changed with the “asx” signal string.

Once the bot receives a task from the C2, the next loop iteration will start by querying the task result, for every child job requested by the C2 server. If the job has been completed, it will return the job results. If it has not been completed yet, it will send the string “E1”, or the string “E2” if the job cannot be found. The job results are then concatenated for all requested tasks using the following format:

[!<BOT_ID>!]<job result 1>!<1>[!<BOT_ID>!]<job result 2>!<2>[!<BOT_ID>!]<job result 3>!<3>…

Scroll to view full table

The resulting string is Base64 encoded and obfuscated via a modulo-based algorithm which is similar to a technique observed in previous Gootloader JavaScript samples.

This time, GootBot sends a POST request to its C2 server. If the data is larger than 100,000 chars it is split into multiple requests, formatted as follows:

POST /xmlrpc.php HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36

Cookie: <BOT_ID>=<If user is admin: 0/1>|<task name 1>|<task name 2>|<task name 3>|<task name 4>…

Pragma: no-cache

Cache-Control: no-cache, no-store

Expires: 0

 

<BOT_ID>=[sX<<random_int>><packet_seq_number>]<data>

Scroll to view full table

Again, the bot expects a response containing the next task.

Lateral movement

GootBot was also designed to be spread laterally throughout the environment. Once an initial host is infected, GootBot receives a number of scripts enumerating the host as well as the domain. X-Force also observed several scripts using different techniques to spread the embedded GootBot payload to other hosts. GootBots’ C2 infrastructure can quickly generate large numbers of GootBot payloads to be disseminated, each with a different C2 address to contact. These are deployed by lateral-movement scripts in an automated fashion, which may also lead to hosts being reinfected multiple times.

Lateral-movement scripts make use of WinRM in PowerShell, either via WMI or the “Invoke-Command” Cmdlet. Other examples include copying payloads via SMB and the use of WinAPI calls to SCM (Service Control Manager) in order to create remote services and scheduled tasks.

In some cases, GootBot also uses exfiltrated credentials to spread:

Figure: Lateral movement via WinRM Invoke-Command

Figure: Lateral movement via SCM

GootBot has also been shown to use environment variables to store encrypted strings, which further decreases the scripts’ size. In addition, GootBot may also be deployed using a technique to spoof the PowerShell processes’ arguments by creating a new process before writing the malicious script to the processes’ standard input.

Reconnaissance

GootBot also runs a reconnaissance script as one of its first tasks. It contains the unique GootBot ID for the host.
The following information is pulled together,  and returned to the job handler:

  • Domain user name
  • OS (from registry key)
  • If 64bit architecture (checking for x86 dir and also size of int ptr)
  • Domain controllers:
  • From registry
  • From ENV var
  • Using [System.DirectoryServices.ActiveDirectory.DomainController]::FindAll
  • Running processes
  • SID
  • Local IP address
  • Hostname

The data is formatted with the specified ID. See example data below with ID “FDA8970BA3”:

Actions on objective

A Gootloader infection may quickly lead to the deployment of additional tools such as Cobalt Strike, SystemBC and domain compromise scripts including Kerberoasting attacks. Other observed behavior is the exfiltration of the following sensitive information:

  • LSASS process dump. Dumped using Procdump or the Minidump functionality of “comsvcs.dll”
  • Registry hives SAM, SYSTEM, SECURITY

In addition, Gootloader infections are also known to result in ransomware.

Conclusion

The discovery of the Gootbot variant highlights the lengths to which attackers will go to evade detection and operate in stealth. This is a highly effective malware that allows attackers to move laterally across the environment with ease and speed and extend their attacks. In addition, Hive 0127’s usage of large clusters of compromised WordPress domains makes it increasingly difficult for defenders to block malicious traffic. As Gootloader frequently serves as an initial access provider, awareness of these evolving TTPs and tools is important to mitigate the risk of impactful post-exploitation activity.

Recommendations

  • Ensure anti-virus and associated files are up to date
  • Organizations should ensure that script block logging is enabled within their enterprise and monitor the relevant Windows event logs for signs of compromise
  • Monitor for execution of JavaScript files within downloaded ZIP archives
  • Monitor for scheduled tasks using wscript.exe to execute JavaScript files using short names (*~1.JS)
  • Monitor network traffic for suspicious HTTP requests to URLs ending with “xmlrpc.php”:
  • Suspicious cookie value: <BOT_ID>=<If user is admin: 0/1>
  • Suspicious content format: <BOT_ID>=[sX<<random_int>><packet_seq_number>]<data>
  • Monitor for lateral movement via WinRM, WMI or SCM
  • Disable or monitor the “Start-Job” Cmdlet within your environment.

For more information on X-Force’s security research, threat intelligence and hacker-led insights, visit the X-Force Research Hub.

Indicators of Compromise (IOCs)

IndicatorIndicator TypeContext
6ff7a60c7cd8ffed318700dff453d3679adf27b11505f875d54e8afc33bb8465SHA256GootBot
95dbd3f273d621fa71631882d00bef71f902a4cc536ee150ec748aae4f47e4d5SHA256GootBot
http://63factory[.]jp/wordpress/xmlrpc.phpURL GootBotC2 server
https://contentstudent[.]com/xmlrpc.phpURL GootBotC2 server
Scroll to view full table

More from Threat Intelligence

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today