This week, we are releasing 2 TTPs:
- Are GootLoader malware procedures mitigated on this host?
- Are AZOrult malware procedures mitigated on this host?
Are GootLoader malware procedures mitigated on this host?
GootLoader was listed in CISA's "2021 Top Malware Strains" advisory and made its way into the scene in 2020. As the name suggests, this malware is a loader associated with the banking trojan known as GootKit. GootLoader was initially designed as a malware loader whose purpose is to download additional malware, but it has evolved into a multi-stage platform. GootLoader's delivery method is through websites hosting malicious files for download. The developers of GootLoader may compromise websites that rank high in search engine results or use search engine optimization techniques to improve the ranking of their malicious sites to target their victims. In addition to GootKit, GootLoader infections may deploy Cobalt Strike beacons and the Osiris banking trojan.
At a high level, some of GootLoader capabilities are:
- Initial access - Malicious zip files hosted on websites containing high-ranking Google search keywords.
- Execution - JScript file extracted from a zip file and executed via wscript.exe. Two payloads (DLLs) are written to registry keys to enable persistence.
- Persistence - Base64 encoded PowerShell commands are executed to reflectively load a DLL from the registry. Another PowerShell command is executed to create a scheduled task which will run a DLL stored in the registry at victim logon.
- Defense Evasion - Delete Microsoft Defender scheduled scans and disable multiple Microsoft Defender security features.
- Credential Access - Usage of the PowerShell variant of Mimikatz and laZagne has been observed, along with registry hive dumping.
- Discovery - The PowerShell variant of SharpHound is used to enumerate the Active Directory domain and WMIC to check for antivirus. Advanced IP Scanner used to scan for specific open ports.
- Lateral Movement - RDP, PSExec, and Invoke-WMIExec are used to pivot throughout the network.
- Collection - Files were directly accessed on victim machines.
- Command and Control - Cobalt Strike is used for C2 communication.
This TTP was designed to emulate GootLoader's execution and persistence capabilities. Microsoft Defender may flag some of these actions as `TrojanDownloader:PowerShell/GootKit.S!ams`
Execute `Are GootLoader malware procedures mitigated on this host?` in Operator on each host in your environment to test if you are vulnerable.
This TTP will download a zip file and save it to `$env:localappdata`. This zip file will contain a JScript file which will create two registry keys `HKCU:\SOFTWARE\Microsoft\Phone\%Username%` and `HKCU:\SOFTWARE\Microsoft\Phone\%Username%0`. These two registry keys will contain junk byte data to emulate the encoded payloads GootLoader saves in these registry locations. `Expand-Archive` will unzip the zip file, and `wscript.exe` is utilized to execute the JScript file to create these two registry keys. The exact PowerShell commands that GootLoader uses to load the malicious DLL reflectively and to create the scheduled task are then executed. The command to reflectively load the DLL will fail since the data saved in the registry keys are not the actual encoded malicious DLLs. The TTP will perform a conditional check to verify if the two registry keys and the scheduled task were created. Lastly, the TTP will delete all created artifacts.
CISA recommends end-user awareness and training as "Immediate Actions You Can Take Now to Protect Against Malware." Visually inspecting if URLs are safe or malicious could help prevent a victim from clicking a link hosting malware. Change the file association for JScript files to `notepad.exe` instead of `wscript.exe`, as this will prevent immediate execution if a victim double-clicks the malicious JScript file. Ensuring your current protections log suspicious `wscript.exe` and `PowerShell.exe` processes, along with `scheduled task` and `registry key` creation, can help identify these malicious actions.
Are AZOrult malware procedures mitigated on this host?
At a high level, some of AZOrult capabilities are:
- Initial Access - Phishing with Office documents, infected websites, and exploit kits.
- Execution - Macro-enabled Office documents download the AZOrult loader via `mshta` and execute it via `PowerShell`.
- Persistence - Windows Run keys are modified to fetch the payload, and `schtasks` is used to download an encoded DLL and load it via `PowerShell`.
- Defense Evasion - `PowerShell` modifies registry keys to disable Windows Defender.
- Credential Access - AZORult may dump credentials, including browser history, cookies, emails, social media credentials, and cryptocurrency wallets.
- Discovery - AZORult may enumerate users, processes, files, and network configuration information.
- Collection - Files were directly accessed on victim machines, including unsecured credentials in files.
This TTP was designed to emulate AZOrult's persistence and defense-evasion capabilities. Microsoft Defender may flag some of these actions as `Trojan:Win32/BatTamper.A`
Execute `Are AZOrult malware procedures mitigated on this host?` as an Administrator in Operator on each host in your environment to test if you are vulnerable.
This TTP will download a VBS script and save it to `$env:TEMP`. The script configures a Run key that launches `mshta`. Next, the TTP uses `schtasks` to create a scheduled task for persistence. Finally, the TTP executes a VBS script used by AZOrult to disable Windows Defender via registry key modifications.
Finally, the TTP downloads a VBS script from Operator that contains `PowerShell` commands to disable various Windows Defender protections.
Windows Defender will need to be re-enabled after running this TTP
CISA recommends end-user awareness and training as "Immediate Actions You Can Take Now to Protect Against Malware." Ensure the organization logs processes and command-line information, especially from Office and applications that may execute arbitrary code. If possible, disable Office macro execution and remove local administrators from devices.
Check out the TTP Are AZOrult malware procedures mitigated on this host?.
Staying up to date
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Get our products
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Join our community
Read, watch, and listen
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
Follow our team