Gootloader
Gootloader is a Javascript-based infection framework that has been used since at least 2020 as a delivery method for the Gootkit banking trojan, Cobalt Strike, REvil, and others. Gootloader operates on an "Initial Access as a Service" model and has leveraged SEO Poisoning to provide access to entities in multiple sectors worldwide including financial, military, automotive, pharmaceutical, and energy.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Gootloader has the ability to decode and decrypt malicious payloads prior to execution.[1][2] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Gootloader can create an autorun entry for a PowerShell script to run at reboot.[1] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Gootloader can use an encoded PowerShell stager to write to the Registry for persistence.[1][2] |
| .007 | 命令与脚本解释器: JavaScript |
Gootloader can execute a Javascript file for initial infection.[1][2] |
||
| Enterprise | T1584 | .001 | 基础设施妥协: Domains |
Gootloader has used compromised legitimate domains to as a delivery network for malicious payloads.[2] |
| .006 | 基础设施妥协: Web Services |
Gootloader can insert malicious scripts to compromise vulnerable content management systems (CMS).[2] |
||
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
Gootloader can retrieve a Base64 encoded stager from C2.[2] |
| Enterprise | T1069 | .002 | 权限组发现: Domain Groups |
Gootloader can determine if a targeted system is part of an Active Directory domain by expanding the %USERDNSDOMAIN% environment variable.[2] |
| Enterprise | T1027 | 混淆文件或信息 |
The Gootloader first stage script is obfuscated using random alpha numeric strings.[1][2] |
|
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
Gootloader has been executed through malicious links presented to users as internet search results.[1][2] |
| Enterprise | T1614 | 系统位置发现 |
Gootloader can use IP geolocation to determine if the person browsing to a compromised site is within a targeted territory such as the US, Canada, Germany, and South Korea.[2] |
|
| .001 | System Language Discovery |
Gootloader can determine if a victim's computer is running an operating system with specific language preferences.[1] |
||
| Enterprise | T1082 | 系统信息发现 |
Gootloader can inspect the User-Agent string in GET request header information to determine the operating system of targeted systems.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Gootloader can use an embedded script to check the IP address of potential victims visiting compromised websites.[2] |
|
| Enterprise | T1497 | .003 | 虚拟化/沙盒规避: Time Based Evasion |
Gootloader can designate a sleep period of more than 22 seconds between stages of infection.[1] |
| Enterprise | T1105 | 输入工具传输 |
Gootloader can fetch second stage code from hardcoded web domains.[1][2] |
|
| Enterprise | T1055 | .002 | 进程注入: Portable Executable Injection |
Gootloader can use its own PE loader to execute payloads in memory.[1] |
| .012 | 进程注入: Process Hollowing |
Gootloader can inject its Delphi executable into ImagingDevices.exe using a process hollowing technique.[1][2] |
||