Gootloader is a Malware-as-a-Service (MaaS) offering that is spread through SEO poisoning to distribute malicious payloads, such as IcedID. Threat actors have begun using IcedID, a former banking trojan, since it’s a stealthier option compared to Cobalt Strike. #Gootloader #IcedID #CobaltStrike #SEOpoisoning #PowerShell #ActiveDirectory
Keypoints
- Gootloader is a sophisticated MaaS that delivers the second-stage payload only for machines that are part of the Active Directory after contacting a C2 server.
- Threat actors have switched between delivering Cobalt Strike and IcedID as the second-stage payload, with IcedID used for greater stealth.
- Gootloader uses a process hollowing technique to inject the IcedID loader into PowerShell processes, enabling in-memory execution that can evade detection.
- The malware writes its payloads to Windows registry keys (e.g., HKCU) and uses scheduled tasks as persistence mechanisms.
- IcedID employs anti-VM/anti-sandbox checks and collects system information, sending data back to its C2 via GET requests and cookies.
- eSentire TRU recommends defenses including phishing/security awareness, EDR coverage, AD SYSVOL hardening, least-privilege models, and clear submission procedures for potential malicious content.
MITRE Techniques
- [T1189] Drive-by Compromise – “Gootloader leverages SEO poisoning to deliver the initial payload” via compromised websites.
- [T1027] Obfuscated/Compressed Files and Information – “highly obfuscated malicious JavaScript file” used in the initial delivery.
- [T1059.001] PowerShell – “PowerShell can be used for legitimate process running in the background; thus, Gootloader infections can go unnoticed.”
- [T1055.012] Process Hollowing – “process hollowing techniques … to inject the main payload into the PowerShell process” using APIs like ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory and ResumeThread.
- [T1112] Modify Registry – “The first main encoded payload is written to the registry key under HKEY_CURRENT_USERSOFTWAREMicrosoftusername … RegWrite Method.”
- [T1053] Scheduled Task – “scheduled task is created as a persistence mechanism to decode the registry values … The script is base64-encoded and executed via PowerShell.”
- [T1071.001] Web Protocols – “The GET request … to the C2 server” (HTTP-based C2 communication).
- [T1497] Virtualization/Sandbox Evasion – “IcedID performs anti-VM/anti-sandboxing techniques …”
Indicators of Compromise
- [Domain] C2 domains – ilekvoyn[dot]com, liveshopping-aktuell[dot]de, and other domains (domain list observed in the article).
- [Domain] Gootloader C2 domains – www[dot]liveshopping-aktuell[dot]de, www[dot]lightnessofbeing[dot]net, www[dot]lintelconsulting[dot]co[dot]uk
- [File hash] IcedID packed payload – 157d12885e5f6434436862aadd6224cd
- [File hash] IcedID unpacked payload – 578143ef946796590c0dd5f5dcfdada7
- [File name] employee confidentiality agreement texas(9898).zip – 1c822f5a7d92307f9cf8ad5f28f61a76
- [File name] employee_confidentiality_agreement_texas 19855.js – c6bac95375b8c7fb3b16c7dff98d2cc0
- [Campaign ID] IcedID campaign ID – 277708695
Read more: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-gootloader-and-icedid