Goot to Loot—How a Gootloader Infection Led to Credential Access – ReliaQuest

MITRE Techniques

• [T1189] Drive-by Compromise – Delivery via an SEO-poisoned page that prompts malware downloads. “For delivery, it typically depends on SEO poisoning, a technique used by attackers to manipulate the ranking of web pages in search engine results to draw clicks and prompt malware downloads.”
• [T1053.005] Scheduled Task – Persistence by adding a secondary script as a scheduled task named “Tribal Consultation” that runs at login. “The initial JS script … added the secondary script in its shortened form as a scheduled task on the victim’s machine … the task name did not vary between executions.”
• [T1059.005] Windows Script Host – Execution of the initial JS file via WScript.exe. “executed via Windows Script Host (wscript.exe) using this command line…”
• [T1059.001] PowerShell – Execution path includes obfuscated PowerShell commands reaching out to C2. “reaching out to 10 C2 domains” and encoded data within PowerShell context.
• [T1071.001] Web Protocols – C2 communication through multiple domains. “obfuscated PowerShell command reaching out to 10 C2 domains.”
• [T1027] Obfuscated/Compressed Files and Information – Data collected in environmental variables is Base64 encoded and gzip compressed before exfiltration. “The script indicated that information collected within these variables … Base64 encoded, and Gzip compressed.”
• [T1021.001] Remote Services – Lateral movement via RDP from the compromised host to three other hosts, with interactive actions on one host (Stealthbits Server). “The attacker used the compromised service account to RDP to three unique hosts…”
• [T1003.001] LSASS Memory – Credential dumping via LSASS memory using MiniDump. “LSASS credentials on the host … MiniDump” and subsequent attempts with procdump. “procdump -accepteula -ma lsass.exe lsassdump”
• [T1003.005] Credential Dumping via Registry – Exfiltration of registry hive exports (SYSTEM and SAM) to external FTP. “saving the registry contents of the SYSTEM hive and the SAM hive via the registry modification tool reg.exe” and upload to FTP.
• [T1041] Exfiltration – Exfiltration of dumped credentials and registry data over FTP to external hosts. “exfiltration of their captured data” and “uploaded to FTP hosting site.”
• [T1087.001] Account Discovery – LDAP information discovery via PowerShell to enumerate accounts. “query Lightweight Directory Access Protocol (LDAP) information via PowerShell”
• [T1558.003] Kerberoasting – Privilege escalation via Kerberos ticket requests using RC4 encryption to crack offline. “Kerberos ticket for a stale service account … RC4 encryption”