A DNS Investigation of the GootLoader Campaign

Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild | Wiz Blog

Summary :

Sophos has analyzed GootLoader, a malware that uses cat-related content to lure victims, leading to data theft and ransomware deployment. The research identified numerous indicators of compromise (IoCs) linked to this threat. #GootLoader #CyberThreats #MalwareAnalysis

Keypoints :

  • GootLoader uses SEO poisoning to direct users to malicious sites.
  • The malware can deploy a second-stage payload called GootKit, which is a data stealer and RAT.
  • Sophos identified 12 domains as IoCs, with further analysis revealing additional related domains and IPs.
  • 33 email-connected domains and 15 IP addresses were also identified, with six being malicious.
  • The threat actors prefer using older domains created between 2015 and 2020.

MITRE Techniques :

  • Phishing (T1566): Utilizes cat-related content to lure victims into visiting malware-laden sites.
  • Command and Control (T1071): Maintains communication with compromised systems through multiple domains.
  • Remote Access Tools (T1219): Employs GootKit for remote access and data theft.

Indicator of Compromise :

  • [domain] beezzly[.]com
  • [domain] chanderbhushan[.]com
  • [domain] climatehero[.]me
  • [domain] fannisho[.]com
  • [domain] playyourbeat[.]com
  • [email] 33 email-connected domains
  • [ip address] 103[.]169[.]142[.]0
  • [ip address] 141[.]193[.]213[.]10
  • [ip address] 75[.]2[.]60[.]5

Back in 2015, a survey found that cats drove 15% of the overall Internet traffic. That said, it is not surprising for threat actors to use cat-related content to lure victims to visit their malware-laden sites. Such was the case for GootLoader, which allowed cybercriminals to steal data and deploy post-exploitation tools and ransomware.

Sophos recently analyzed GootLoader, which has been known to use search engine optimization (SEO) poisoning to gain initial access. Users who fall for the ruse get directed to a compromised site that hosts a malicious payload. If the malware remains undetected on a victim’s computer, it makes way for a second-stage payload dubbed “GootKit,” a highly evasive data stealer and remote access Trojan (RAT). Threat actors can use GootKit to deploy ransomware or other tools for follow-on exploitation.

The Sophos researchers identified 12 domains as indicators of compromise (IoCs) in their report. The WhoisXML API research team expanded the IoC list aided by exhaustive DNS intelligence and found:

  • 33 email-connected domains
  • 15 IP addresses, six of which turned out to be malicious
  • 692 IP-connected domains
  • 302 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

About the GootLoader IoCs

First off, we sought to find more information on the 12 domains tagged as IoCs. A bulk WHOIS lookup for them revealed that:

  • Only nine of the domains had current WHOIS records.
  • The nine domains with current WHOIS records were administered by a different registrar each, namely, BigRock Solutions, CSL Computer Service, Gandi, GoDaddy, Registrar.eu, Namecheap, NameSilo, Rebel.com, and Romarg.
  • The nine domains were created between 2015 and 2020, indicating that the threat actors may have preferred using old domains.

  • While three of the nine domains did not have registrant country details in their records, we found that two were registered in the U.S., while one each was registered in four different countries, namely, Canada, Iceland, India, and Sweden.

We also looked at the passive DNS records of the 12 domains tagged as IoCs and found that 83% or 10 of them have resolved to 50 or more IP addresses each since 2019. Take a look at five examples below.

DOMAIN IoC DATE STARTED RESOLVING TO AN IP ADDRESS TOTAL NUMBER OF IP ADDRESSES
beezzly[.]com 4 October 2019 50
chanderbhushan[.]com 2 May 2021 50
climatehero[.]me 4 October 2019 100+
fannisho[.]com 4 October 2019 51
playyourbeat[.]com 1 October 2019 92

The domain IoC playyourbeat[.]com, for instance, has seen 92 DNS changes since it first resolved to IP address 85[.]187[.]128[.]9 on 4 October 2019 according to DNS Chronicle Lookup. The first shift occurred 462 days after it was first recorded in our passive DNS database on 8 January 2021. After that, the number of days in-between each change ranged between one and 293 from 8 January 2021 to 1 September 2024.

GootLoader IoC List Expansion Findings

We began our search for connected artifacts by querying the 12 domains tagged as IoCs on WHOIS History API. That led to the discovery of 22 email addresses in their historical WHOIS records although only nine were public.

Next, we queried the nine public email addresses on Reverse WHOIS API. Three of them appeared in the current WHOIS records of other domains, leading us to uncover 33 email-connected domains after filtering out duplicates and the IoCs.

DNS lookups for the 12 domains tagged as IoCs showed that 11 actively resolved to 15 unique IP addresses.

Threat Intelligence API queries for the 15 IP addresses revealed that six have already figured in malicious campaigns. Take a look at three examples below.

MALICIOUS IP ADDRESS ASSOCIATED THREAT TYPES
103[.]169[.]142[.]0 Attack
Command and control (C&C)
Generic
Malware
Phishing
Suspicious
141[.]193[.]213[.]10 Attack
C&C
Generic
Malware
Phishing
Spam
Suspicious
75[.]2[.]60[.]5 Attack
C&C
Generic
Malware
Phishing
Spam

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

NORDVPN DISCOUNT – CircleID x NordVPN
Get NordVPN
 [74% +3 extra months, from $2.99/month]

<!–

10 facts about NordVPN that aren’t commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN’s servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

–>


Full Research: https://circleid.com/posts/a-dns-investigation-of-the-gootloader-campaign