Gootkit loader now employs more advanced fileless techniques to drop Cobalt Strike, using SEO-poisoned compromised websites and legal document templates to lure victims. The attack chain involves registry stuffing, memory-only execution via PowerShell, and a Cobalt Strike beacon with C2 activity, showing ongoing development and persistence capabilities. #Gootkit #CobaltStrike
Keypoints
- Gootkit uses fileless techniques to deliver payloads like Cobalt Strike and has updated its tactics.
- The infection chain begins when a user searches for topics (e.g., legal documents) and lands on a SEO-poisoned compromised site.
- A ZIP archive containing an obfuscated .js file leads to a PowerShell script that installs the payload via registry stuffing and scheduled tasks for persistence.
- Two notable updates: switching from freeware installers to legal document templates and using a custom text replacement algorithm instead of base64 for registry-encrypted data.
- The final payload is a Cobalt Strike binary that runs in memory and connects to its C2 server (IP 89.238.185.13).
- Vision One AMSI telemetry helps decode the script flow and trace the infection stages, while 24/7 monitoring via cross-platform XDR prevented escalation.
MITRE Techniques
- [T1189] Drive-by Compromise – ‘SEO poisoning to make this website rank high in the search results, leading the user to visit the compromised website.’
- [T1059.001] PowerShell – ‘The unusual PowerShell script that resulted from these actions alerted us to possible malicious activity’ and ‘reflectively loaded through PowerShell to reconstruct a Cobalt Strike binary that runs directly in the memory filelessly.’
- [T1112] Modify Registry – ‘It checks for the registry HKCUPJZTLE and creates it if not found. This serves as an infection marker as we discussed in our previous blog.’
- [T1053.005] Scheduled Task – ‘The second PowerShell script installs persistence mechanism via Scheduled Task, where it assigns the username as its Task Name.’
- [T1497] Virtualization/Sandbox Evasion – ‘checks if the current user is logged in to a domain that might be used to bypass sandbox tools.’
- [T1071.001] Web Protocols – ‘The final payload… has also been spotted to connect to Cobalt Strike’s command-and-control (C&C) server.’
- [T1056.001] Keyboard Input Capture – ‘logging keystrokes’ (within the Cobalt Strike beacon capabilities).
- [T1113] Screen Capture – ‘taking screenshots’ (within the Cobalt Strike beacon capabilities).
Indicators of Compromise
- [File Hash] cbc8733b9079a2efc3ca1813e302b1999e2050951e53f22bc2142a330188f6d4, f1ece614473c7ccb663fc7133654e8b41751d4209df1a22a94f4640caff2406d – Associated with Trojan.BAT.POWLOAD.TIAOELD (loader)
- [File Hash] 8536bb3cc96e1188385a0e230cb43d7bdc4f7fe76f87536eda6f58f4c99fe96b – Associated with Trojan.PS1.SHELLOAD.BC (PS loader)
- [URL] hxxps://www[.{domain name}][.]co[.]uk/forum[.]php?uktoz=znbrmkp&iepdpjkwxusknzkq=3147417f829ff54ffe9acd67bbf216c217b16d47ac6a2e02c1b42f603121c9ad4b18757818e0bbdd5bab3aa154e5794b&pohokt=ifgde = Disease vector
- [URL] hxxps://learn[.]openschool.ua/test[.]php?mthqpllauigylit=738078785565141 = Disease vector
- [IP] 89.238.185.13 = Cobalt Strike C2 server (C&C address)
- [File Name] disclosure agreement real estate transaction (8321).zip, tenancy agreement between family members template(98539).zip – ZIP archives downloaded by the victim
- [Domain] learn.openschool.ua, lakeside-fishandchips.com – domains used in the decoded script