Threat Research

eSentire Threat Intelligence: GootLoader Striking with a New…

Securonix

eSentire’s Threat Response Unit analyzed GootLoader’s latest infection technique against a pharmaceutical company, revealing a compromised WordPress site delivering a large, obfuscated JavaScript payload and a new persistence method. The malware uses scheduled tasks for persistence, collects host information via a secondary script, and exfiltrates data to WordPress domains. #GootLoader #IcedID #WordPress #PowerShell #ScheduledTask

Keypoints

  • GootLoader delivers a malicious ZIP archive from a compromised WordPress site, with archive names that vary per user.
  • The initial infection uses obfuscated JavaScript mixed with a legitimate Sizzle.js library and is launched via a wscript.exe process.
  • A second, larger JS payload (~40 MB) is spawned after a ~12-second pause and is padded with garbage strings for obfuscation.
  • The persistence mechanism shifted to a scheduled task created via Schedule.Service COMObject, dropping the payload under AppDataRoaming and running at logon.
  • The secondary script collects system information (OS, environment variables), processes, GUI processes, desktop apps, and drives with at least 50 MB free space, then base64-encodes and compresses it for exfiltration over HTTP(S) via WordPress domains.
  • GootLoader demonstrated beaconing to multiple domains (the campaign reportedly has access to ~34k domains) and used XMLRPC-style endpoints for C2 communications.
  • TRU recommends active threat hunts, AD hardening, least-privilege models, endpoint detection, and log/network investigation during intrusions as part of a defense-in-depth strategy.

MITRE Techniques

  • [T1059.005] Windows Script – “the first obfuscated script is executed via wscript.exe process.”
  • [T1059.007] JavaScript – “The initial malicious JavaScript code is mixed with legitimate Sizzle.js JavaScript Library”
  • [T1059.001] PowerShell – “The secondary JS script will spawn a PowerShell process with the command line “pOWErsHELl”.”
  • [T1053.005] Scheduled Task – “persistence is created via a scheduled task using Schedule.Service COMObject.”
  • [T1027] Obfuscated/Compressed Files – “The second JS file is another obfuscated script with approximately 40 MB in size. The script is padded with garbage strings.”
  • [T1082] System Information Discovery – “The script retrieves the list of applications under the Desktop folder of the infected user, gets the processes running on the host, operating system, environment variables”
  • [T1057] Process Discovery – “gets the processes running on the host”
  • [T1041] Exfiltration – “base64-encoded and compressed to be sent out over POST requests to WordPress domains”
  • [T1071.001] Web Protocols – “be sent out over POST requests to WordPress domains with the tags in the Cookie field over HTTP/HTTPs”

Indicators of Compromise

  • [Domain] Contacted domains – momo[.]com/xmlrpc[.]php, diariojudio[.]com/xmlrpc[.]php, and 16 more domains (e.g., hortencollection[.]com/xmlrpc[.]php, willowdragonstonecommunity[.]org/xmlrpc[.]php)

Read more: https://www.esentire.com/blog/gootloader-striking-with-a-new-infection-technique