Skip to main content

Gootkit Loader continues to be used on multiple Australian networks

The Australian Cyber Security Centre continues to observe instances of Gootkit JavaScript (JS) Loaders on multiple Australian networks in 2022. Open source reporting also indicates continued Gootkit activity.

The ACSC first observed Gootkit JS Loaders on Australian networks in mid-2021. Deployment was achieved through search engine de-optimisation targeting terms such as 'agreement'.

This report provides technical analysis and indicators of compromise derived from identified Gootkit JavaScript loaders on Australian networks in 2021 and 2022. This information is provided for the purposes of computer network defence and leads development.

The report has been updated since its initial release in 2021 to include new behaviour observed through analysis of additional samples.

The malicious JavaScript samples were obfuscated in several stages. Once unpacked, Gootkit malware was retrieved. Open-source reporting indicates that:

  • Gootkit JS Loaders are a precursor to several malware families traditionally used for cybercrime, notably, Gootkit, REvil ransomware, Kronos, or CobaltStrike.
  • The JavaScript-based obfuscated loader shares capability with various other JS Downloaders identified in open-source reporting.
  • Users are targeted based on specific “search-engine query de-optimisations”.

Technical Details update

The ACSC has observed JavaScript samples that loaded follow-on malware by writing a program to the Windows registry, creating a scheduled task that will execute the program when the user next logs on, then deleted itself from the Downloads folder. This process allowed for follow-on malware to execute, such as Cobalt Strike. 

For additional technical details, see 2021-009: Malicious actors deploying Gootkit Loader on Australian Networks.

Mitigation

Mitigation is unchanged:

  • Implement application control to prevent execution of unapproved / malicious programs including .exe, DLL, scripts (Windows Script Host, PowerShell and HTA) and installers. See also [M1038 - Execution Prevention].
  • Filter web content to reduce the likelihood of malicious content entering computing environments. Ensure the content filtering environment recognises archived files. See also [M1037 – Filter Network Traffic].  

    Detection and Indicators of Compromise

    Command and Control

    HTTP GET requests were made to specific URI /search.php with the parameter {randomised 13 character string} set to {pseudorandom integer}

    HTTP GET Request Sample
    GET /search.php?tgtytnbwtmelg=5599961917583517
    HTTP/1.1
    Host: www[.]kucukisletmeler[.]com

    Domains Hosting C2 / Second Stage Retrieval

    "kucukisletmeler[.]com",
    "kidzee[.]com",
    "kiyindo-shiatsu[.]com",
    "kettlebellgie[.]be",
    "vin-aire[.]com",
    "vesperience[.]com",
    "travelogue.grecotel[.]com",
    "uumu[.]fi",
    "sundance.usc[.]edu",
    "labbunnies[.]eu",
    "lenovob2bportal[.]com",
    "lakelandartassociation[.]org"

    Execution on host

    To identify this activity, look for an execution chain of 7-Zip (or other zip file manager) launching wscript.exe or cscript.exe, with the command line argument containing a .js file, likely containing the word "agreement".

    A sample was observed writing a follow-on program to the Windows Registry at "hkcu:\software\microsoft\Phone\USERNAME", where USERNAME was the username from the environment variable. Look for modifications of this registry for possible loading of follow-on malware.

    Open source reporting examples

     

    Was this information helpful?
    Was this information helpful?

    Thanks for your feedback!

     
    Optional

    Tell us why this information was helpful and we’ll work on making more pages like it