Background Gootkit JS Loaders have been deployed onto Australian networks through search engine de-optimisation, including targeting the word 'agreement'. This advisory provides technical analysis of identified cyber activity on Australian networks for the purposes of computer network defence. The technical analysis is based on two specific Gootkit JS Loader samples; however, additional indicators of compromise (IOCs), sourced from multiple samples, have been included below. The malicious JavaScript identified was obfuscated in several stages. Once unpacked, Gootkit malware was retrieved. Open-source reporting indicates that: Gootkit JS Loaders are a precursor to several malware families traditionally used for cybercrime, notably, Gootkit, REvil ransomware, Kronos, or CobaltStrike. The JavaScript-based obfuscated loader shares capability with various other JS Downloaders identified in open-source reporting. Users are targeted based on specific “search-engine query de-optimisations”. Mitigation Application Control should be implemented to prevent execution of unapproved/malicious programs, including .exe, DLL, scripts (Windows Script Host, PowerShell and HTA) and installers. Technical Details The analysed Gootkit JS Loader samples shared underlying code-structure and multi-stage obfuscation techniques. The analysed samples differed slightly in the presented order and structure of functions. ACSC Comment: It is likely that a broad set of function naming exists within this malware family code due to the obfuscation. Previously identified open-source samples had obfuscated all aspects of the code with randomly generated alphanumeric strings. The samples analysed by the ACSC were specifically obfuscated with word-substitution. Identified Gootkit JS Loader samples were obfuscated with simple word substitution for variables, functions, and strings (other than required system function: e.g. wscript). Additional stages of execution were obfuscated with a simple substitution cypher that was easily reversed. The JavaScript loaded, slept and deobfuscated the next stage of the loader. Once all stages were deobfuscated, the JavaScript would generate a pseudorandom integer and beacon to hard-coded compromised domains, with a specific search-term. The hard-coded domains could be retrieved via dynamic execution in a sandbox environment, or via manual deobfuscation and reversal of the encoded variables and functions. ACSC Comment: The analysed samples had different code-structures, and differed slightly from previously reported samples targeting European victims. The obfuscation method differed to open-source reporting on Gootkit JS Loaders. This suggests a change in the search engine targeting methodology, and a distinct revision or renewal of the underlying Gootkit builder codebase when pivoting to non-European users. Indicators of Compromise (IOCs) Command and Control HTTP GET requests were made to specific URI /search.php with the parameter {randomised 13 character string} set to {pseudorandom integer} HTTP GET Request Sample GET /search.php?tgtytnbwtmelg=5599961917583517 HTTP/1.1 Host: www[.]kucukisletmeler[.]com Domains Hosting C2 / Second Stage Retrieval "kucukisletmeler[.]com", "kidzee[.]com", "kiyindo-shiatsu[.]com", "kettlebellgie[.]be", "vin-aire[.]com", "vesperience[.]com", "travelogue.grecotel[.]com", "uumu[.]fi", "sundance.usc[.]edu" Execution on host To identify this activity, look for execution chain of 7-Zip (or other zip file manager) launching wscript.exe with the command line argument containing a .js file Malware Samples Identified malware sample details below: Sample One Filename: which_australian_prime_minister_signed_the_lima_agreement.js MD5: 333d5f9d50c1b67bae4cc811a59ef94c SHA256: c1c01fa53f45e751cc26213f1ff5c6f3a70f9fa1af725499a8d34f50eb7f4733 Sample Two Filename: difference_between_supplemental_agreement_and_amendment_agreement.js MD5: 2bd52b710f6f7f994f3e80261cc56e61 SHA256: 1344146efb830df320496948569560102476d84df393a766345f6d0d8eee14c0 Sample Three Filename: brisbane_city_council_enterprise_agreement.js MD5: f864f333c609c397c921a9bd6fe1c684 SHA256: 9d059411604fb00c0d407ef4eac5ff00c38db0e9935a842cdd363419f4378304 Sample Four Filename: bapi_for_outline_agreement.js MD5: b30c431c55293bc174eba6a3d33eb178 SHA256: 2fcca5598f5e0c9d486e6c1c4bfc7a3652b7ba2b88b49406f05221b2f982ed94 Sample Five: Filename: bapi_for_outline_agreement.js MD5: f9f782e6a23a64b913750036aa390d1e SHA256: 65b86bbbc46da97816a8e26f909a164adf77c84bb5ee8f824b6fdbc3e0269abe Related alert Malicious actors deploying Gootkit Loader on Australian Networks Content complexity Moderate This rating relates to the complexity of the advice and information provided on the page.
