Threat Research

Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations

Securonix

The article explains how to reconstruct Gootloader registry payloads using off-host Python scripts and CyberChef workflows, as well as on-host PowerShell decoding. It also catalogs technical indicators, network signals, and YARA rules related to GOOTLOADER, FONELAUNCH, and COBALT STRIKE BEACON activities. #GOOTLOADER #FONELAUNCH #COBALTSTRIKE #BEACON #SNOWCONE #GootloaderRegDecode #CyberChef #PowerShell

Keypoints

  • The registry payloads can be reconstructed off-host using the GootloaderRegDecode.py script with a CSV export, processing one or both payloads simultaneously.
  • A CyberChef-based off-host workflow uses separate .reg exports and specific recipes to extract payloads from registry data.
  • On-host decoding is possible with the GootloaderWindowsRegDecode.ps1 PowerShell script, which can target the current or another user’s registry keys.
  • Technical indicators include MD5 hashes for GOOTLOADER ZIP and JS files, various Registry Payloads (FONELAUNCH) and Registry Payload 2 (Cobalt Strike BEACON), plus associated artifacts.
  • Network indicators list multiple domains and BEACON-related endpoints as potential C2 channels.
  • GOOTLOADER, FONELAUNCH, and SNOWCONE are defined malware families with distinct roles (downloader, loader, and downloader family).
  • YARA rules are provided to hunt for FONELAUNCH and GOOTLOADER.POWERSHELL samples, with caveats about testing and false positives.

MITRE Techniques

  • [T1059.001] PowerShell – On-host script-based payload decoding. Quote: ‘The script “GootloaderWindowsRegDecode.ps1” can be run on a host that currently has the registry keys present. The script can be executed against the current user, or another user that exists on the system.’
  • [T1059.007] JavaScript – GOOTLOADER is a JavaScript downloader that comes in an obfuscated form. Quote: ‘GOOTLOADER is a JavaScript downloader that comes in an obfuscated form. It downloads another JavaScript file which drops and executes the intended payload.’
  • [T1027] Obfuscated/Compressed Files and Information – GOOTLOADER obfuscation mentioned in the JS downloader description. Quote: ‘GOOTLOADER is a JavaScript downloader that comes in an obfuscated form.’
  • [T1012] Query Registry – On-host/off-host registry access to read payloads (registry exports and keys). Quote: ‘The script can be used to reconstruct the payloads’ and ‘Create separate .reg exports of the HKCU… keys.’
  • [T1112] Modify Registry – Reconstructing registry payloads from exports/registry data (payloads stored in registry keys). Quote: ‘…reconstruct the payloads depending on where their data resides.’
  • [T1082] System Information Discovery – GOOTLOADER.POWERSHELL collects victim host information (OS version, environment, files, processes). Quote: ‘retrieves payloads via HTTP’ is separate, but information gathering is described in the GOOTLOADER.POWERSHELL context.
  • [T1057] Process Discovery – Listing running processes as part of host information collection. Quote: ‘list of running processes’
  • [T1105] Ingress Tool Transfer – GOOTLOADER.POWERSHELL retrieves payloads via HTTP. Quote: ‘retrieves payloads via HTTP.’
  • [T1071.001] Web Protocols – C2 communications via HTTP (and DNS). Quote: ‘BEACON communicates with a C2 server via HTTP or DNS.’
  • [T1027] Obfuscated/Compressed Files and Information – Reiterated for the obfuscated GOOTLOADER loader. See above.
  • [T1059.001] PowerShell (repeat context) – On-host PS usage documented in the article. Quote included above.
  • [T1056.001] Keylogging – BEACON backdoor capabilities include keystroke capture. Quote: ‘BEACON backdoor commands include shell command execution, … and can capture keystrokes and screenshots as well as act as a proxy server.’
  • [T1113] Screen Capture – BEACON backdoor capabilities include screenshots. Quote: ‘can capture keystrokes and screenshots as well as act as a proxy server.’

Indicators of Compromise

  • [MD5] GOOTLOADER ZIP file – 1011b2cbe016d86c7849592a76b72853, 80a79d0c9cbc3c5188b7a247907e7264, and 1 more (bee08c4481babb4c0ac6b6bb1d03658e)
  • [MD5] GOOTLOADER JS file – 82607b68e061abb1d94f33a2e06b0d20, 961cd55b17485bfc8b17881d4a643ad8, and 4 more hashes
  • [MD5] Registry Payload 1 (FONELAUNCH) – FONELAUNCH.FAX: d6220ca85c44e2012f76193b38881185; FONELAUNCH.PHONE: 35238d2a4626e7a1b89b13042f9390e9, 53c213b090784a0d413cb00c27af6100, and 6+ more
  • [MD5] Registry Payload 2 (Cobalt Strike BEACON) – 04746416d5767197f6ce02e894affcc7, 2eede45eb1fe65a95aefa45811904824, and 3+ more
  • [MD5] SNOWCONE – 328b032c5b1d8ad5cf57538a04fb02f2, 7a1369922cfb6d00df5f8dd33ffb9991
  • [Domain] Network indicators – jonathanbartz[.]com, jp[.]imonitorsoft[.]com, lakeside-fishandchips[.]com, and 4 more domains
  • [URL] Cobalt Strike BEACON endpoints – hxxps://108.61.242[.]65/dot.gif, hxxps://108.61.242[.]65/submit.php, and 2 more
  • [IP] C2 infrastructure – 108.61.242.65, 146.70.78.43, 87.120.254.39, 45.150.108.213, 92.204.160.240
  • [MD5] YARA rules – M_Launcher_FONELAUNCH_1: d6220ca85c44e2012f76193b38881185; M_Launcher_FONELAUNCH_2: aef6d31b3249218d24a7f3682a00aa10; M_Launcher_FONELAUNCH_3: ec17564ac3e10530f11a455a475f9763

Read more: https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations