Full Report
Move fast - miscreants compromised a domain controller in 17 hours Gootloader JavaScript malware, commonly used to deliver ransomware, is back in action after a period of reduced activity.…
Analysis Summary
# Tool/Technique: Gootloader
## Overview
Gootloader is a JavaScript-based malware loader, historically used to deliver secondary payloads, most notably ransomware. It has resurfaced with updated obfuscation techniques and is being used by the Storm-0494 operator to facilitate intrusions, often leading to ransomware deployment by allied groups like Vanilla Tempest (Rhysida).
## Technical Details
- Type: Malware Family (Loader)
- Platform: Windows (Implied by post-exploitation tools used)
- Capabilities: Initial access delivery via SEO poisoning/compromised websites, payload hosting (via WordPress comments), obfuscation of delivered files/scripts, and staging of backdoors.
- First Seen: At least 2014
## MITRE ATT&CK Mapping
Due to the nature of initial access and subsequent tool use, several mappings apply to the Gootloader campaign phase:
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (Via compromised/trusted sites resulting from SEO poisoning)
- T1190 - Exploit Public-Facing Application (Abusing WordPress endpoints)
- **TA0004 - Privilege Escalation** (Implied by subsequent stages)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Use of custom WOFF2 fonts for filename obfuscation)
## Functionality
### Core Capabilities
- **Delivery Mechanism:** Leveraging SEO poisoning (Search Engine Optimization) to direct victims searching specific terms (e.g., "missouri cover utility easement roadway") to compromised sites.
- **Payload Staging:** Hiding encrypted payloads within legitimate web infrastructure, specifically abusing WordPress's comment submission endpoint.
- **Initial Payload:** Delivering a ZIP archive containing a malicious JavaScript file upon user interaction ("Download").
### Advanced Features
- **Obfuscation:** Use of **custom WOFF2 fonts with glyph substitution** to obscure filenames, preventing easy inspection or copy/pasting of suspicious names.
- **Speed of Execution:** The observed attack chain demonstrates extreme speed, often achieving Domain Controller compromise within 17 hours of initial access.
## Indicators of Compromise
*Note: Specific hashes and network indicators for the specific campaign mentioned were not detailed in the provided text, only the existence of IoCs published by Huntress.*
- File Hashes: [Not explicitly provided]
- File Names: [Obfuscated names generated via WOFF2 glyph substitutions]
- Registry Keys: [Not explicitly provided]
- Network Indicators: [Not explicitly provided, generally C2 traffic associated with Gootloader/backdoors]
- Behavioral Indicators: Execution of malicious JavaScript following download from a seemingly legitimate site; execution of Supper SOCKS5 backdoors.
## Associated Threat Actors
- **Storm-0494:** Handles the Gootloader operations and initial access for this campaign.
- **Vanilla Tempest (aka Rhysida):** The ransomware gang that typically takes over post-exploitation.
## Detection Methods
- **Signature-based detection:** Yara rules published by Huntress exist for both the Vanilla Tempest **TextShell** malware and the **Supper backdoor**.
- **Behavioral detection:** Monitoring for the execution of suspicious JavaScript files obtained from web downloads, especially those appearing in adversarial search result chains. Monitoring for the rapid deployment of SOCKS5 backdoors.
- **YARA rules:** Rules are available for `win_mal_TextShell.yar` and `win_mal_SupperBackdoor.yar`.
## Mitigation Strategies
- **User Awareness:** Training users regarding the risks associated with suspicious downloads stemming from search results (SEO poisoning).
- **Endpoint Security:** Implementing robust solutions capable of detecting obfuscated file contents and dynamic execution of scripts.
- **Configuration Hardening:** Reviewing and securing WordPress comment submission endpoints if hosting is affected.
- **Rapid Response:** Organizations must prioritize rapid detection and response given the 17-hour window observed for DC compromise.
## Related Tools/Techniques
- **Supper SOCKS5 Backdoor:** Deployed by the threat actors post-initial compromise.
- **Vanilla Tempest Ransomware (Rhysida):** The secondary payload/final objective delivered by the initial access broker.
- **Impacket:** Used for lateral movement and remote command execution on the Domain Controller.
- **Windows Remote Management (WinRM):** Used as a living-off-the-land binary for lateral movement to the Domain Controller.