eSentire, a global provider of Managed Detection and Response (MDR) cybersecurity solutions, reported today that the hackers behind the malicious downloader, Gootloader, have poisoned websites across the globe to infect business professionals’ IT systems with ransomware, intrusion tools and bank trojans. eSentire has been tracking the Gootloader campaign since December 2020 and has prevented numerous related malware infections.
eSentire’s security research team, the Threat Response Unit (TRU), discovered that the Gootloader hackers have launched an extensive Drive-By Download Campaign and have compromised dozens of legitimate websites. These sites represent businesses in the hotel industry, high-end retail, education, healthcare, music and visual arts, among others. The compromised websites identified by the TRU use the content management system, WordPress. The threat actors’ end game is to infect business professionals, speaking English, German and Korean. Their modus operandi (MO) is to entice a business professional to one of the compromised websites and then have them click on the link, leading to Gootloader, which attempts to retrieve the final payload, whether it be ransomware, a banking trojan or intrusion tool/credential stealer.
The TRU first began investigating the malicious activity when eSentire’s Extended Detection and Response (XDR) platform, Atlas, detected some suspicious behavior at a law firm. eSentire’s Security Operations Center (SOC) observed malicious code being written to the Windows Registry – a common, fileless malware tactic. The SOC immediately isolated the infected host and escalated the incident to eSentire’s TRU.
Setting the Trap for Business Professionals
When new malware is observed, understanding „Initial Access“ becomes important. This is where eSentire’s TRU asks “how did the firm’s employee first encounter the malicious content?” The TRU concluded, from subsequent research, that the employee was searching the Internet for sample business agreements dealing with physician assistants (PAs) practicing medicine in California. One of the top search results is a web page, made to look like a forum question/answer (Q/A) page, that references a link to a sample agreement for PAs working in California (see figure 1). When the link is clicked, Gootloader is downloaded, and if the victim attempts to open the so-called “document,” they will actually execute Gootloader, which will then go and try to fetch the final payload, which could be the infamous Sodin ransomware (a.k.a. Sodinokibi or REvil); the Gootkit banking trojan; or Cobalt Strike (an intrusion tool/credential stealer).
Figure 1: Question/Answer forum page served to business professionals when visiting a website purporting to contain a sample physician agreement for California. Source: eSentire.
Figure 2: Snippet of distinct code from the Gootloader downloader. Source: eSentire.
TRU found that a distinct snippet of the same downloader code they originally captured (see figure 3) was used in a campaign targeting Korean speakers. The CheckMal researchers also reported the same Q/A forum baiting method (see figure 4) which was observed at eSentire. In an incident referenced by CheckMal, a user encountered the downloader, which resulted in the delivery and execution of the Sodin ransomware.
Figure 3. A snippet of downloader code retrieved by Korean researchers from CheckMal.
Figure 4. Q/A forum page, written in Korean, and discovered by CheckMal researchers. It is like the malicious Q/A forum page detected by eSentire researchers. Source: CheckMAL
Subsequent research into recent Sodin ransomware campaigns revealed that a security firm, Malwarebytes, had documented a similar threat campaign on November 30. This campaign was targeting business professionals speaking German. Again, the threat actors embedded a download link into a fake forum Q/A web page, which purportedly led to a copy of a collective bargaining agreement for employees belonging to the Industrial Union of Metalworkers (see figure 5). Malwarebytes reported that when the link in the Q/A page was clicked, the victim received a downloader, like what was found by eSentire and CheckMAL (see figure 6). This downloader then deployed the Sodin ransomware or the Gootkit Banking Trojan onto the victim’s computer.
Figure 5: Q/A forum page, written in German, seen by Malwarebytes researchers. It is like the other Q/A forum pages, which also reference business agreements, as was found in the U.S. and South Korean campaigns. Source: Malwarebytes.
Figure 6: A portion of the downloader code which hit German speakers who clicked the link within the fake Q/A forum page. Portions of the code resemble the code in Gootloader and the downloader called out by the Korean researchers. Source: Malwarebytes.
Gootloader Obfuscation Code
eSentire’s TRU also observed a change in the obfuscation layer of Gootloader between the websites compromised and injected with fake Q/A forum pages containing German language (see figure 7), and those sites injected with fake Q/A forum pages containing English language (see figure 8). Specifically, they replaced the random strings used for variable names and functions with real English words.
Figure 7. Obfuscation code of the downloader linked to the German language forum Q/A pages found by Malwarebytes. Source: Malwarebytes.
Figure 8. The Obfuscation code of Gootloader when it is inserted into fake Q/A forum pages posted in English. Source: eSentire.
Trend Micro reported a downloader that had a similar code to what Malwarebytes discovered. They also observed a similar fake Q/A forum overlay. The forum page asks for a free download of FIFA 13, a football management video game.
Figure 9. A fake Q/A forum page, targeting German speakers, contains a malicious link to a malware downloader, most likely Gootloader. The link purports to lead to a free download of the football management video game, FIFA 13. Source: Trend Micro.
eSentire’s security research team intercepted and shut down two incidents in February involving Gootloader. One occurred when an employee of a consulting firm was searching the web for the Paris Agreement. The Paris Agreement is an international treaty on climate change. It has been prominent in the national and international news because the United States just agreed to reenter the agreement effective February 19. When the consultant attempted to download the agreement, instead they downloaded Gootloader. Upon attempting to open the document, Gootloader executed and began fetching the payload, but was unsuccessful. At this time, VirusTotal reported that the server, hosting the payload, was associated with the post-exploitation tool, Cobalt Strike.
The second incident in late February involved an employee of another legal firm specializing in the healthcare industry. TRU concluded that the employee had searched the web for the Ucc-1 subordination agreement, an agreement pertaining to loans under the Uniform Commercial Code. The Gootloader malware was hosted on an addiction recovery center’s website, an unlikely host for commercial legal agreements. Such an inconsistency is often an indicator of malicious intent.
Gootloader Threat Actors Use SEO Poisoning to Generate High-Level Page Rankings Targeting English Speakers
Using a Google Search method called dorking, TRU uncovered several dozen WordPress sites in which similar “Agreement” content had been injected around December 2020. The compromised websites served as a foundation for the Gootloader campaign, providing malicious hosting and Search Engine Optimization (SEO) to the threat actors. This allowed the threat actors to deliver arbitrary, malicious payloads to unsuspecting business professionals.
The compromised WordPress sites were injected with tens to hundreds of blog posts. In each of the dozens of websites explored, a couple of common features were standard across the injected blog posts:
1) The title of the blog post had the word “agreement” in it. This title did not always relate to a meaningful agreement. For example, it sometimes included just a web domain as the title that happened to have the word “agreement” in it.
2) The content consisted of randomly ordered, complete sentences pertaining to the subject of law. Exact google searches of such sentences led to more compromised blogs, as well as some legitimate source content. TRU has not yet discovered two blogs with the exact same content. Given the high number of blogs created from finite law source material, there were some cases of surprisingly similar blogs.
3) All blog posts on a given compromised website were spread across the month of December. As such, they sometimes appeared in an injected /2020 directory, if not an injected /2020/12 directory. Variations in the directory’s structure were likely due to the underlying structure of the legitimate WordPress site.
When visited by security infrastructure and virtual machines (VMs), only the injected blog posts tend to show on these pages – but when the back-end server detects a potential victim through an unseen test, the nonsensical blog post is hidden behind the previously mentioned forum posts that serve the malicious link leading to Gootloader.
Recommendations for Protecting Company Employees from Being Hijacked by Gootloader
- Make sure you trust document sources. Even legitimate Word and Excel documents from the Internet can lead to loader malware.
- Employ an Endpoint Detection and Response (EDR) product.
- User awareness training should be mandated for all company employees. The training should focus on the following topics:
- The downloading and execution of files from unverified sources
- Process of reporting potential security incidents
- Educate users about safe Internet browsing habits
- Avoid free versions of paid software
- Inspect the full URL before downloading files to ensure it matches the source (e.g., Microsoft Teams should come from a Microsoft domain)
- Always inspect the extension of files, do not trust the filetype logo alone. An executable file can be disguised as a PDF or office document
- Employees need to report security threats without fear of repercussion, even if caused accidentally
Tips for Protecting a WordPress-Built Website from Being Compromised and Used to Deliver Malware
- Ensure any plug-ins used on the website is kept up to date
- Only use vetted plugins
- Maintain a clean copy of the website to roll back to, in case there is an event of compromise
- Ensure the latest patches for your WordPress website and associated plugins are up to date and implemented
- Make sure that your content is being hosted by a secure server
- Please see additional tips at: https://wiki.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline
Indicators of Compromise Observed by the TRU
filename:*agreement*.js (* = wildcard) (English targeting)
filename:*herunterladen*.js (* = wildcard)(German targeting)
Payload Download Sites: