Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Defend brute force attacks, active intrusions and unauthorized scans.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREATA recently disclosed vulnerability impacting Zimbra mail servers is being actively exploited by attacker(s). On September 27th, Zimbra publicly disclosed CVE-2024-45519, a…
Sep 17, 2024THE THREAT Technical details and Proof-of-Concept (PoC) exploit code for the critical Ivanti Endpoint Manager (EPM) vulnerability CVE-2024-29847 are now publicly available.…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
eSentire, a leading global provider of Managed Detection and Response (MDR) cybersecurity solutions, reported today that the hackers behind the malicious downloader, Gootloader, have poisoned websites across the globe to infect business professionals’ IT systems with ransomware, intrusion tools and bank trojans. eSentire has been tracking the Gootloader campaign since December 2020 and has prevented numerous related malware infections.
eSentire’s security research team, the Threat Response Unit (TRU), discovered that the Gootloader hackers have launched an extensive Drive-By Download Campaign and have compromised dozens of legitimate websites. These sites represent businesses in the hotel industry, high-end retail, education, healthcare, music and visual arts, among others. The compromised websites identified by the TRU use the content management system, WordPress. The threat actors’ end game is to infect business professionals, speaking English, German and Korean. Their modus operandi (MO) is to entice a business professional to one of the compromised websites and then have them click on the link, leading to Gootloader, which attempts to retrieve the final payload, whether it be ransomware, a banking trojan or intrusion tool/credential stealer.
The TRU first began investigating the malicious activity when eSentire’s Extended Detection and Response (XDR) platform, Atlas, detected some suspicious behavior at a law firm. eSentire’s Security Operations Center (SOC) observed malicious code being written to the Windows Registry – a common, fileless malware tactic. The SOC immediately isolated the infected host and escalated the incident to eSentire’s TRU.
When new malware is observed, understanding "Initial Access" becomes important. This is where eSentire’s TRU asks “how did the firm’s employee first encounter the malicious content?” The TRU concluded, from subsequent research, that the employee was searching the Internet for sample business agreements dealing with physician assistants (PAs) practicing medicine in California. One of the top search results is a web page, made to look like a forum question/answer (Q/A) page, that references a link to a sample agreement for PAs working in California (see figure 1). When the link is clicked, Gootloader is downloaded, and if the victim attempts to open the so-called “document,” they will actually execute Gootloader, which will then go and try to fetch the final payload, which could be the infamous Sodin ransomware (a.k.a. Sodinokibi or REvil); the Gootkit banking trojan; or Cobalt Strike (an intrusion tool/credential stealer).
Figure 1: Question/Answer forum page served to business professionals when visiting a website purporting to contain a sample physician agreement for California. Source: eSentire.
TRU found that Gootloader consisted of heavily obfuscated JavaScript code. It was compressed to bypass automated security appliances. TRU analyzed the loader code; however, attempts to retrieve the payload from the download server were not successful. The security research team began to investigate whether the downloader they found (see figure 2) had been seen by other security professionals. As it turns out, Gootloader activity was reported in October 2020 by the South Korean cybersecurity firm, CheckMal.
Figure 2: Snippet of distinct code from the Gootloader downloader. Source: eSentire.
TRU found that a distinct snippet of the same downloader code they originally captured (see figure 3) was used in a campaign targeting Korean speakers. The CheckMal researchers also reported the same Q/A forum baiting method (see figure 4) which was observed at eSentire. In an incident referenced by CheckMal, a user encountered the downloader, which resulted in the delivery and execution of the Sodin ransomware.
Figure 3. A snippet of downloader code retrieved by Korean researchers from CheckMal.
Figure 4. Q/A forum page, written in Korean, and discovered by CheckMal researchers. It is like the malicious Q/A forum page detected by eSentire researchers. Source: CheckMAL
Subsequent research into recent Sodin ransomware campaigns revealed that a security firm, Malwarebytes, had documented a similar threat campaign on November 30. This campaign was targeting business professionals speaking German. Again, the threat actors embedded a download link into a fake forum Q/A web page, which purportedly led to a copy of a collective bargaining agreement for employees belonging to the Industrial Union of Metalworkers (see figure 5). Malwarebytes reported that when the link in the Q/A page was clicked, the victim received a downloader, like what was found by eSentire and CheckMAL (see figure 6). This downloader then deployed the Sodin ransomware or the Gootkit Banking Trojan onto the victim’s computer.
Figure 5: Q/A forum page, written in German, seen by Malwarebytes researchers. It is like the other Q/A forum pages, which also reference business agreements, as was found in the U.S. and South Korean campaigns. Source: Malwarebytes.
Figure 6: A portion of the downloader code which hit German speakers who clicked the link within the fake Q/A forum page. Portions of the code resemble the code in Gootloader and the downloader called out by the Korean researchers. Source: Malwarebytes.
eSentire’s TRU also observed a change in the obfuscation layer of Gootloader between the websites compromised and injected with fake Q/A forum pages containing German language (see figure 7), and those sites injected with fake Q/A forum pages containing English language (see figure 8). Specifically, they replaced the random strings used for variable names and functions with real English words.
Figure 7. Obfuscation code of the downloader linked to the German language forum Q/A pages found by Malwarebytes. Source: Malwarebytes.
Figure 8. The Obfuscation code of Gootloader when it is inserted into fake Q/A forum pages posted in English. Source: eSentire.
Trend Micro reported a downloader that had a similar code to what Malwarebytes discovered. They also observed a similar fake Q/A forum overlay. The forum page asks for a free download of FIFA 13, a football management video game.
Figure 9. A fake Q/A forum page, targeting German speakers, contains a malicious link to a malware downloader, most likely Gootloader. The link purports to lead to a free download of the football management video game, FIFA 13. Source: Trend Micro.
eSentire's security research team intercepted and shut down two incidents in February involving Gootloader. One occurred when an employee of a consulting firm was searching the web for the Paris Agreement. The Paris Agreement is an international treaty on climate change. It has been prominent in the national and international news because the United States just agreed to reenter the agreement effective February 19. When the consultant attempted to download the agreement, instead they downloaded Gootloader. Upon attempting to open the document, Gootloader executed and began fetching the payload, but was unsuccessful. At this time, VirusTotal reported that the server, hosting the payload, was associated with the post-exploitation tool, Cobalt Strike.
The second incident in late February involved an employee of another legal firm specializing in the healthcare industry. TRU concluded that the employee had searched the web for the Ucc-1 subordination agreement, an agreement pertaining to loans under the Uniform Commercial Code. The Gootloader malware was hosted on an addiction recovery center’s website, an unlikely host for commercial legal agreements. Such an inconsistency is often an indicator of malicious intent.
Using a Google Search method called dorking, TRU uncovered several dozen WordPress sites in which similar “Agreement” content had been injected around December 2020. The compromised websites served as a foundation for the Gootloader campaign, providing malicious hosting and Search Engine Optimization (SEO) to the threat actors. This allowed the threat actors to deliver arbitrary, malicious payloads to unsuspecting business professionals.
The compromised WordPress sites were injected with tens to hundreds of blog posts. In each of the dozens of websites explored, a couple of common features were standard across the injected blog posts:
1) The title of the blog post had the word “agreement” in it. This title did not always relate to a meaningful agreement. For example, it sometimes included just a web domain as the title that happened to have the word “agreement” in it.
2) The content consisted of randomly ordered, complete sentences pertaining to the subject of law. Exact google searches of such sentences led to more compromised blogs, as well as some legitimate source content. TRU has not yet discovered two blogs with the exact same content. Given the high number of blogs created from finite law source material, there were some cases of surprisingly similar blogs.
3) All blog posts on a given compromised website were spread across the month of December. As such, they sometimes appeared in an injected /2020 directory, if not an injected /2020/12 directory. Variations in the directory’s structure were likely due to the underlying structure of the legitimate WordPress site.
When visited by security infrastructure and virtual machines (VMs), only the injected blog posts tend to show on these pages – but when the back-end server detects a potential victim through an unseen test, the nonsensical blog post is hidden behind the previously mentioned forum posts that serve the malicious link leading to Gootloader.
wscript executing zipped JavaScript file
JavaScript Filenames:
filename:*agreement*.js (* = wildcard) (English targeting)
filename:*herunterladen*.js (* = wildcard)(German targeting)
www.cwa1037[.]org
www.edmondoberselli[.]net
couchbraunsdorf[.]com
buerotiefschwarz[.]de
www.crosskeys-oldsnydale.co[.]uk
realtytoronto[.]ca
wordphotos.mischart[.]com
mlsd[.]club
furuyaman[.]com
colegiocontempora[.]com
funkjazzkafe[.]com
skepdagog[.]com
kiritorichuzai[.].com
africanarts[.]us