Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Protect assets from ransomware, trojans, rootkits and more.
Intelligence and visibility across AWS, O365, DevOps and more.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
eSentire, a leading global provider of Managed Detection and Response (MDR) cybersecurity solutions, reported today that the hackers behind the malicious downloader, Gootloader, have poisoned websites across the globe to infect business professionals’ IT systems with ransomware, intrusion tools and bank trojans. eSentire has been tracking the Gootloader campaign since December 2020 and has prevented numerous related malware infections.
eSentire’s security research team, the Threat Response Unit (TRU), discovered that the Gootloader hackers have launched an extensive Drive-By Download Campaign and have compromised dozens of legitimate websites. These sites represent businesses in the hotel industry, high-end retail, education, healthcare, music and visual arts, among others. The compromised websites identified by the TRU use the content management system, WordPress. The threat actors’ end game is to infect business professionals, speaking English, German and Korean. Their modus operandi (MO) is to entice a business professional to one of the compromised websites and then have them click on the link, leading to Gootloader, which attempts to retrieve the final payload, whether it be ransomware, a banking trojan or intrusion tool/credential stealer.
The TRU first began investigating the malicious activity when eSentire’s Extended Detection and Response (XDR) platform, Atlas, detected some suspicious behavior at a law firm. eSentire’s Security Operations Center (SOC) observed malicious code being written to the Windows Registry – a common, fileless malware tactic. The SOC immediately isolated the infected host and escalated the incident to eSentire’s TRU.
When new malware is observed, understanding "Initial Access" becomes important. This is where eSentire’s TRU asks “how did the firm’s employee first encounter the malicious content?” The TRU concluded, from subsequent research, that the employee was searching the Internet for sample business agreements dealing with physician assistants (PAs) practicing medicine in California. One of the top search results is a web page, made to look like a forum question/answer (Q/A) page, that references a link to a sample agreement for PAs working in California (see figure 1). When the link is clicked, Gootloader is downloaded, and if the victim attempts to open the so-called “document,” they will actually execute Gootloader, which will then go and try to fetch the final payload, which could be the infamous Sodin ransomware (a.k.a. Sodinokibi or REvil); the Gootkit banking trojan; or Cobalt Strike (an intrusion tool/credential stealer).
Figure 1: Question/Answer forum page served to business professionals when visiting a website purporting to contain a sample physician agreement for California. Source: eSentire.
Figure 2: Snippet of distinct code from the Gootloader downloader. Source: eSentire.
TRU found that a distinct snippet of the same downloader code they originally captured (see figure 3) was used in a campaign targeting Korean speakers. The CheckMal researchers also reported the same Q/A forum baiting method (see figure 4) which was observed at eSentire. In an incident referenced by CheckMal, a user encountered the downloader, which resulted in the delivery and execution of the Sodin ransomware.
Figure 3. A snippet of downloader code retrieved by Korean researchers from CheckMal.
Figure 4. Q/A forum page, written in Korean, and discovered by CheckMal researchers. It is like the malicious Q/A forum page detected by eSentire researchers. Source: CheckMAL
Subsequent research into recent Sodin ransomware campaigns revealed that a security firm, Malwarebytes, had documented a similar threat campaign on November 30. This campaign was targeting business professionals speaking German. Again, the threat actors embedded a download link into a fake forum Q/A web page, which purportedly led to a copy of a collective bargaining agreement for employees belonging to the Industrial Union of Metalworkers (see figure 5). Malwarebytes reported that when the link in the Q/A page was clicked, the victim received a downloader, like what was found by eSentire and CheckMAL (see figure 6). This downloader then deployed the Sodin ransomware or the Gootkit Banking Trojan onto the victim’s computer.
Figure 5: Q/A forum page, written in German, seen by Malwarebytes researchers. It is like the other Q/A forum pages, which also reference business agreements, as was found in the U.S. and South Korean campaigns. Source: Malwarebytes.
Figure 6: A portion of the downloader code which hit German speakers who clicked the link within the fake Q/A forum page. Portions of the code resemble the code in Gootloader and the downloader called out by the Korean researchers. Source: Malwarebytes.
eSentire’s TRU also observed a change in the obfuscation layer of Gootloader between the websites compromised and injected with fake Q/A forum pages containing German language (see figure 7), and those sites injected with fake Q/A forum pages containing English language (see figure 8). Specifically, they replaced the random strings used for variable names and functions with real English words.
Figure 7. Obfuscation code of the downloader linked to the German language forum Q/A pages found by Malwarebytes. Source: Malwarebytes.
Figure 8. The Obfuscation code of Gootloader when it is inserted into fake Q/A forum pages posted in English. Source: eSentire.
Trend Micro reported a downloader that had a similar code to what Malwarebytes discovered. They also observed a similar fake Q/A forum overlay. The forum page asks for a free download of FIFA 13, a football management video game.
Figure 9. A fake Q/A forum page, targeting German speakers, contains a malicious link to a malware downloader, most likely Gootloader. The link purports to lead to a free download of the football management video game, FIFA 13. Source: Trend Micro.
eSentire's security research team intercepted and shut down two incidents in February involving Gootloader. One occurred when an employee of a consulting firm was searching the web for the Paris Agreement. The Paris Agreement is an international treaty on climate change. It has been prominent in the national and international news because the United States just agreed to reenter the agreement effective February 19. When the consultant attempted to download the agreement, instead they downloaded Gootloader. Upon attempting to open the document, Gootloader executed and began fetching the payload, but was unsuccessful. At this time, VirusTotal reported that the server, hosting the payload, was associated with the post-exploitation tool, Cobalt Strike.
The second incident in late February involved an employee of another legal firm specializing in the healthcare industry. TRU concluded that the employee had searched the web for the Ucc-1 subordination agreement, an agreement pertaining to loans under the Uniform Commercial Code. The Gootloader malware was hosted on an addiction recovery center’s website, an unlikely host for commercial legal agreements. Such an inconsistency is often an indicator of malicious intent.
Using a Google Search method called dorking, TRU uncovered several dozen WordPress sites in which similar “Agreement” content had been injected around December 2020. The compromised websites served as a foundation for the Gootloader campaign, providing malicious hosting and Search Engine Optimization (SEO) to the threat actors. This allowed the threat actors to deliver arbitrary, malicious payloads to unsuspecting business professionals.
The compromised WordPress sites were injected with tens to hundreds of blog posts. In each of the dozens of websites explored, a couple of common features were standard across the injected blog posts:
1) The title of the blog post had the word “agreement” in it. This title did not always relate to a meaningful agreement. For example, it sometimes included just a web domain as the title that happened to have the word “agreement” in it.
2) The content consisted of randomly ordered, complete sentences pertaining to the subject of law. Exact google searches of such sentences led to more compromised blogs, as well as some legitimate source content. TRU has not yet discovered two blogs with the exact same content. Given the high number of blogs created from finite law source material, there were some cases of surprisingly similar blogs.
3) All blog posts on a given compromised website were spread across the month of December. As such, they sometimes appeared in an injected /2020 directory, if not an injected /2020/12 directory. Variations in the directory’s structure were likely due to the underlying structure of the legitimate WordPress site.
When visited by security infrastructure and virtual machines (VMs), only the injected blog posts tend to show on these pages – but when the back-end server detects a potential victim through an unseen test, the nonsensical blog post is hidden behind the previously mentioned forum posts that serve the malicious link leading to Gootloader.
filename:*agreement*.js (* = wildcard) (English targeting)
filename:*herunterladen*.js (* = wildcard)(German targeting)