The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) first observed Gootkit JS Loaders on Australian networks in mid-2021. Deployment was achieved through search engine de-optimisation targeting terms such as 'agreement'.
This report provides technical analysis and indicators of compromise derived from identified Gootkit JavaScript loaders on Australian networks in 2021 and 2022. This information is provided for the purposes of computer network defence and leads development.
The report has been updated since its initial release in 2021 to include new behaviour observed through analysis of additional samples.
The malicious JavaScript samples were obfuscated in several stages. Once unpacked, Gootkit malware was retrieved. Open-source reporting indicates that:
- Gootkit JS Loaders are a precursor to several malware families traditionally used for cybercrime, notably, Gootkit, REvil ransomware, Kronos, or CobaltStrike.
- The JavaScript-based obfuscated loader shares capability with various other JS Downloaders identified in open-source reporting.
- Users are targeted based on specific “search-engine query de-optimisations”.
Technical Details update
The ASD’s ACSC has observed JavaScript samples that loaded follow-on malware by writing a program to the Windows registry, creating a scheduled task that will execute the program when the user next logs on, then deleted itself from the Downloads folder. This process allowed for follow-on malware to execute, such as Cobalt Strike.
For additional technical details, see 2021-009: Malicious actors deploying Gootkit Loader on Australian Networks.
Mitigation
Mitigation is unchanged:
- Implement application control to prevent execution of unapproved / malicious programs including .exe, DLL, scripts (Windows Script Host, PowerShell and HTA) and installers. See also [M1038 - Execution Prevention].
- Filter web content to reduce the likelihood of malicious content entering computing environments. Ensure the content filtering environment recognises archived files. See also [M1037 – Filter Network Traffic].
Detection and Indicators of Compromise
Command and Control
HTTP GET requests were made to specific URI /search.php with the parameter {randomised 13 character string} set to {pseudorandom integer}
HTTP GET Request Sample
GET /search.php?tgtytnbwtmelg=5599961917583517
HTTP/1.1
Host: www[.]kucukisletmeler[.]com
Domains Hosting C2 / Second Stage Retrieval
"kucukisletmeler[.]com",
"kidzee[.]com",
"kiyindo-shiatsu[.]com",
"kettlebellgie[.]be",
"vin-aire[.]com",
"vesperience[.]com",
"travelogue.grecotel[.]com",
"uumu[.]fi",
"sundance.usc[.]edu",
"labbunnies[.]eu",
"lenovob2bportal[.]com",
"lakelandartassociation[.]org"
Execution on host
To identify this activity, look for an execution chain of 7-Zip (or other zip file manager) launching wscript.exe or cscript.exe, with the command line argument containing a .js file, likely containing the word "agreement".
A sample was observed writing a follow-on program to the Windows Registry at "hkcu:\software\microsoft\Phone\USERNAME", where USERNAME was the username from the environment variable. Look for modifications of this registry for possible loading of follow-on malware.