S1138 Gootloader
Gootloader is a Javascript-based infection framework that has been used since at least 2020 as a delivery method for the Gootkit banking trojan, Cobalt Strike, REvil, and others. Gootloader operates on an “Initial Access as a Service” model and has leveraged SEO Poisoning to provide access to entities in multiple sectors worldwide including financial, military, automotive, pharmaceutical, and energy.21
| Item | Value |
|---|---|
| ID | S1138 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 28 May 2024 |
| Last Modified | 19 June 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Gootloader can create an autorun entry for a PowerShell script to run at reboot.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Gootloader can use an encoded PowerShell stager to write to the Registry for persistence.21 |
| enterprise | T1059.007 | JavaScript | Gootloader can execute a Javascript file for initial infection.21 |
| enterprise | T1584 | Compromise Infrastructure | - |
| enterprise | T1584.001 | Domains | Gootloader has used compromised legitimate domains to as a delivery network for malicious payloads.1 |
| enterprise | T1584.006 | Web Services | Gootloader can insert malicious scripts to compromise vulnerable content management systems (CMS).1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Gootloader can retrieve a Base64 encoded stager from C2.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Gootloader has the ability to decode and decrypt malicious payloads prior to execution.21 |
| enterprise | T1105 | Ingress Tool Transfer | Gootloader can fetch second stage code from hardcoded web domains.21 |
| enterprise | T1027 | Obfuscated Files or Information | |
| The Gootloader first stage script is obfuscated using random alpha numeric strings.21 | |||
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.002 | Domain Groups | Gootloader can determine if a targeted system is part of an Active Directory domain by expanding the %USERDNSDOMAIN% environment variable.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.002 | Portable Executable Injection | |
| Gootloader can use its own PE loader to execute payloads in memory.2 | |||
| enterprise | T1055.012 | Process Hollowing | Gootloader can inject its Delphi executable into ImagingDevices.exe using a process hollowing technique.21 |
| enterprise | T1082 | System Information Discovery | Gootloader can inspect the User-Agent string in GET request header information to determine the operating system of targeted systems.2 |
| enterprise | T1614 | System Location Discovery | Gootloader can use IP geolocation to determine if the person browsing to a compromised site is within a targeted territory such as the US, Canada, Germany, and South Korea.1 |
| enterprise | T1614.001 | System Language Discovery | Gootloader can determine if a victim’s computer is running an operating system with specific language preferences.2 |
| enterprise | T1016 | System Network Configuration Discovery | Gootloader can use an embedded script to check the IP address of potential victims visiting compromised websites.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Gootloader has been executed through malicious links presented to users as internet search results.21 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Checks | Gootloader can designate a sleep period of more than 22 seconds between stages of infection.2 |
References
-
Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩