This article demonstrates how GootLoader evades anti-analysis techniques by using Node.js debugging in Visual Studio Code to step through a JavaScript-based loader, highlighting how the malware delays actions to defeat sandboxes. It also details the infection chain from fake forum posts to a JavaScript payload that persists via a scheduled task and communicates with a web-based C2 channel. Hashtags: #GootLoader #GootkitLoader #Unit42 #PaloAltoNetworks #JavaScript
Keypoints
- GootLoader is a JavaScript-based backdoor/loader distributed through fake forum posts, delivering a ZIP and a JavaScript file that initiates infection.
- The infection chain is depicted as fake forum page → ZIP download → ZIP archive → JavaScript file → persistence via scheduled task → web-based C2 traffic.
- Sandboxes face challenges analyzing large binary volumes, and the malware delays actions to evade analysis, commonly described as sleeping.
- The article uses Node.js debugging in Visual Studio Code to step through the GootLoader file, revealing execution flow and obfuscated code intertwined with legitimate libraries.
- GootLoader employs long, multi-function loops and a sleepy function to obscure malicious actions, culminating in execution within the course83 function.
- Key indicators include specific SHA256 hashes of GootLoader JavaScript files and the file name of the sample used in the analysis.
- Protection guidance references Unit 42 Incident Response and Palo Alto Networks products to help detect, analyze, and mitigate GootLoader threats, plus CTA collaboration.
MITRE Techniques
- [T1059.007] JavaScript – Execution of JavaScript in a Windows environment via Node.js/VS Code to analyze the file, as shown by the note: ‘In this environment, we can step through the code using Node.js debugging in the Visual Studio Code editor.’
- [T1053.005] Scheduled Task – Persistence by installing and maintaining a scheduled task: ‘GootLoader installs and is made persistent through scheduled task.’
- [T1497] Virtualization/Sandbox Evasion – Anti-analysis strategy by delaying malicious actions inside a sandbox: ‘delaying actions within the sandbox to conceal its true intent. These delaying actions are commonly described as “sleeping.”’
- [T1027] Obfuscated/Compressed Files and Information – Code obfuscation by interweaving GootLoader code with legitimate JavaScript libraries: ‘interwoven lines of GootLoader code among legitimate JavaScript library code.’
- [T1071.001] Web Protocols – Use of web-based C2 traffic as the malware communicates with C2 infrastructure: ‘web-based C2 traffic.’
- [T1566.002] Phishing/Spearphishing Link – Initial access via fake forum posts linking to malware, used to distribute the loader: ‘distributed through fake forum posts’ and ‘fake forum posts that are nearly identical in appearance.’
Indicators of Compromise
- [SHA256] GootLoader JavaScript file hashes – b939ec9447140804710f0ce2a7d33ec89f758ff8e7caab6ee38fe2446e3ac988, and c853d91501111a873a027bd3b9b4dab9dd940e89fcfec51efbb6f0db0ba6687b
- [File name] GootLoader sample file – what cards are legal in goat format 35435.js
- [URL] Original post source – https://unit42.paloaltonetworks.com/javascript-malware-gootloader/
Read more: https://unit42.paloaltonetworks.com/javascript-malware-gootloader/