SEO Poisoning to Domain Control: The Gootloader Saga Continues

A SEO‑poisoned search result led to a user downloading a ZIP that executed obfuscated JavaScript and PowerShell to install Gootloader, which staged and loaded a Cobalt Strike beacon directly from registry‑stored payloads. The intruder used Cobalt Strike and a PowerShell SystemBC SOCKS proxy to perform discovery, credential theft (LSASS), remote service creation over SMB/WMI, and RDP tunneling to reach domain controllers. #Gootloader #CobaltStrike

Keypoints

User clicked a SEO‑poisoned search result and executed a JavaScript payload contained in a downloaded ZIP (Implied Employment Agreement).
Gootloader created a scheduled task and executed obfuscated PowerShell which fetched staged payloads from remote xmlrpc endpoints.
Final stages were written into registry keys and a deobfuscated in‑memory loader loaded a Cobalt Strike beacon into PowerShell/dllhost processes.
Threat actor performed LDAP/AD discovery, accessed LSASS memory to harvest credentials, and used those credentials to create remote services and move laterally via SMB and RDP.
SystemBC (PowerShell SOCKS v5) was deployed to tunnel external RDP access (SOCKS) to internal hosts, enabling interactive RDP sessions to domain controllers and backup servers.
Defensive tampering observed: deletion of scheduled scans, creation of a service to disable Defender real‑time monitoring, and registry changes to enable Restricted Admin Mode and RDP.
No confirmed bulk data exfiltration was observed, but interactive viewing of sensitive files and backup configurations occurred during RDP sessions.

MITRE Techniques

[T1189] Drive-by Compromise – Initial access via SEO poisoning where ‘the user encountered a SEO poisoned result and clicked on it.’
[T1059.005] Command and Scripting Interpreter: JavaScript – Execution began when ‘a JavaScript file bearing a name similar to their initial search term…triggered the Gootloader malware’s execution process.’
[T1059.001] Command and Scripting Interpreter: PowerShell – The chain executed ‘an obfuscated PowerShell script, which calls another PowerShell script.’
[T1053] Scheduled Task/Job – Persistence and staged execution via ‘a new scheduled task named “InfrSiRfucture Technologies” … run on demand’ with a logon trigger.
[T1547.001] Registry Run Keys/Startup Folder – Stages were stored and persisted in registry keys: ‘a script wrote stage1 and stage2 into the registry before deobfuscating stage1.’
[T1055] Process Injection – In‑memory loading observed with ‘instance of process injection into dllhost was detected’ to host Cobalt Strike beacons.
[T1003.001] Credential Dumping: LSASS Memory – Credential access through ‘access to the LSASS memory’ for harvesting credentials.
[T1021] Remote Services (SMB/RDP) – Lateral movement via ‘Cobalt Strike beacons were deployed across several endpoints using remote service creation’ and use of RDP for interactive sessions.
[T1047] Windows Management Instrumentation – Remote execution and registry changes performed via ‘reg add … executed remotely through WMI to attempt to permit RDP connections.’
[T1090.004] Proxy: SOCKS – Use of SystemBC PowerShell (s5.ps1) created ‘SOCKS v5 traffic’ to tunnel connectivity and RDP access.
[T1071.001] Application Layer Protocol: Web (HTTP/S) – C2 communications via HTTP/S where ‘Cobalt Strike HTTP Beacon communicating to IPv4 91.215.85[.]143:443.’
[T1027] Obfuscated Files or Information – Use of multiple encoding/obfuscation layers: ‘encoded PowerShell commands’ and ‘obfuscated launcher’ requiring base64/XOR and deobfuscation steps.

Indicators of Compromise

[IP Address] C2 servers and proxies – 91.215.85.143:443 (Cobalt Strike), 91.92.136.20:4001 (SystemBC SOCKS), and 46.28.105.94 (Gootloader endpoint).
[Domain/URL] Weaponized XMLRPC endpoints used by Gootloader – blog.lilianpraskova[.]cz/xmlrpc.php, hrclubphilippines[.]com/xmlrpc.php, and several other xmlrpc.php hosts.
[File name] Initial lure and stagers – Implied_employment_agreement_70159.zip, Frontline Management.js (dropped ‘Frontline Management.js’).
[Registry keys] In‑memory payload storage – HKCUSoftwareMicrosoftPersonalizationgeRBAdXTDCkN and HKCUSoftwareMicrosoftPersonalizationcbkSBtbjQBNFy used to store stage1/stage2 data.
[Executable names] Cobalt Strike dropper names observed – e544944.exe, 5d78365.exe (CS beacon examples).
[File hashes] Sample artifact hashes – payload1.dll SHA256: 68dd1a2da732d56b0618f8581502fcf209b1c828c97d05f239c98d55bb78b562, payload2.exe SHA256: 831955bd05186381a8f15539a41f48166873eab3feb55fb1104202e4152bd507 (and several more hashes).

Gootloader’s technical chain begins with a SEO‑poisoned search result delivering a ZIP archive containing a JavaScript stager; double‑clicking the JS drops a heavily obfuscated secondary script (e.g., “Frontline Management.js”) that creates a scheduled task and invokes a PowerShell chain. That PowerShell checks a rotating list of remote xmlrpc endpoints until one (for this case 46.28.105[.]94/blog.lilianpraskova[.]cz/xmlrpc.php) responds with a multi‑component payload: an obfuscated DLL (stage1), an EXE (stage2), and a script that writes both into registry values under HKCUSoftwareMicrosoftPersonalization to avoid disk. Stage1 is deobfuscated and loaded into memory and then deobfuscates/loads stage2, which contains a Cobalt Strike beacon injected into svchost/dllhost/PowerShell processes.

Once the beacon was active, the operators executed LDAP queries and AD enumeration, discovered open RDP endpoints (using Advanced IP Scanner), and accessed LSASS memory to harvest credentials. They used harvested credentials and token‑based logons to create remote services (MSRPC/SCM) and drop Cobalt Strike beacons to other hosts via SMB admin shares; defenders detected and removed some compiled beacons on domain controllers. The intruders also executed commands remotely via WMI (for example reg add to set fDenyTSConnections to 0 and to enable Restricted Admin Mode) and attempted to disable Windows Defender (scheduled scan deletion and creation of a service to stop real‑time monitoring).

To reach high‑value targets externally, the attackers deployed a PowerShell variant of SystemBC (s5.ps1) that established a SOCKS v5 tunnel to 91.92.136[.]20:4001, allowing the attacker to proxy RDP sessions through the compromised workstation to a domain controller and backup server. During interactive RDP sessions they inspected file shares and configuration/backups (password/contract files were viewed), but the report did not confirm large‑scale data exfiltration before the intruder was evicted.