TRU investigators at eSentire uncovered Gootloader using a new infection technique delivered via a compromised WordPress site, followed by a hands-on-keyboard phase with Cobalt Strike. The analysis tracks BloodHound usage, PsExec lateral movement, and PowerShell-based C2 activity, with multiple domains and artifacts tied to the intrusion.
Read more: https://www.esentire.com/blog/gootloader-leads-to-cobalt-strike-and-hand-on-keyboard-activity
#Gootloader #CobaltStrike #BloodHound #PsExec #WordPress #xmlrpc #REvil #Kaseya
Read more: https://www.esentire.com/blog/gootloader-leads-to-cobalt-strike-and-hand-on-keyboard-activity
#Gootloader #CobaltStrike #BloodHound #PsExec #WordPress #xmlrpc #REvil #Kaseya
Keypoints
- Gootloader malware was found using a new infection technique that reveals tools and the next infection phase.
- The initial JavaScript payload was delivered via a compromised WordPress site (drive-by delivery).
- Infected hosts created files in AppDataRoaming and named them with misleading titles (e.g., Parliamentary Procedure.log).
- A scheduled task named “Foreign Languages” was created to run TIBCO Rendezvous.js, establishing persistence.
- Approximately 2 hours after infection, hands-on activity emerged with a Cobalt Strike payload delivered via PowerShell beaconing to multiple domains (e.g., thetripgoeson.com/xmlrpc.php).
- The attackers retrieved zieu.ps1 (Cobalt Strike payload), BloodHound, and PsExec, attempting lateral movement but facing PowerShell execution policy blocks.
- Indicators of compromise include specific PowerShell scripts (zieu.ps1, s5.ps1, son.ps1), a Cobalt Strike C2 server IP, and numerous contacted domains.
- TRU updated global blocklists, detection rules, and runbooks to address this new infection technique and mitigate similar activity across customers.
MITRE Techniques
- [T1189] Drive-by Compromise – The initial payload was delivered through a compromised WordPress site, enabling a drive-by infection. “The initial payload creates several files under a legitimate folder inAppDataRoaming”
- [T1053] Scheduled Task – A scheduled task named “Foreign Languages” runs the TIBCO Rendezvous.js file for persistence. “The scheduled task “Foreign Languages” is also created to run the “TIBCO Rendezvous.js” file with TIBCOR~1.JS argument at the log on from the sample we retrieved.”
- [T1059.001] PowerShell – Post-infection activities deploy a Cobalt Strike payload via an existing PowerShell process beaconing to C2 domains. “Approximately 2 hours after the initial infection, we observed hands-on activity on the system. The threat actor(s) deployed a Cobalt Strike payload via the existing PowerShell process”
- [T1071.001] Web Protocols – C2 traffic via HTTP/XMLRPC with requests to domains such as xmlrpc.php. “beaconed out to several domains with /GET /xmlrpc.php requests”
- [T1069.002] Active Directory Discovery – BloodHound was retrieved to analyze AD and map attack paths for lateral movement. “BloodHound, a tool used for graphically analyzing Active Directory and other identity systems to identify attack pathways”
- [T1021.002] Remote Services – PsExec used to execute processes on remote computers for lateral movement. “PsExec (C:Users) – a command-line tool used to execute processes on remote computers”
- [T1112] Modify Registry – Registry Run Keys were used for persistence to launch a PowerShell SOCKS proxy script. “Registry Run Key name: socks_powershell”
Indicators of Compromise
- [Hash] context – 23d3d8cd3a5b8e4703a9b91970d790d1, 785fcb9380b4c2310c2200790641bc73, and 2 more hashes
- [File] context – zieu.ps1 (Cobalt Strike payload), s5.ps1 (PowerShell SOCKS proxy), and son.ps1 (PowerShell SOCKS proxy)
- [Domain] context – thetripgoeson.com/xmlrpc.php, filorga.com/xmlrpc.php, and 2 more domains
- [IP] context – 91.215.85.176 (Cobalt Strike server)
- [Domain] context – skymedia360.com/xmlrpc.php, others listed in the indicators table
Read more: https://www.esentire.com/blog/gootloader-leads-to-cobalt-strike-and-hand-on-keyboard-activity