Are GootLoader malware procedures mitigated on this host?

This TTP was designed to emulate GootLoader's execution and persistence capabilities. This uses GootLoader's methods of downloading a JScript file within a Zip file, using Wscript to execute the JS file to add specific registry keys, reflectively loading a non-existent DLL, and creating a scheduled task for persistence.

This week, we are releasing 2 TTPs:

  • Are GootLoader malware procedures mitigated on this host?
  • Are AZOrult malware procedures mitigated on this host?

    Are GootLoader malware procedures mitigated on this host?

    GootLoader was listed in CISA's "2021 Top Malware Strains" advisory and made its way into the scene in 2020. As the name suggests, this malware is a loader associated with the banking trojan known as GootKit. GootLoader was initially designed as a malware loader whose purpose is to download additional malware, but it has evolved into a multi-stage platform. GootLoader's delivery method is through websites hosting malicious files for download. The developers of GootLoader may compromise websites that rank high in search engine results or use search engine optimization techniques to improve the ranking of their malicious sites to target their victims. In addition to GootKit, GootLoader infections may deploy Cobalt Strike beacons and the Osiris banking trojan.

At a high level, some of GootLoader capabilities are:

  • Initial access - Malicious zip files hosted on websites containing high-ranking Google search keywords.
  • Execution - JScript file extracted from a zip file and executed via wscript.exe. Two payloads (DLLs) are written to registry keys to enable persistence.
  • Persistence - Base64 encoded PowerShell commands are executed to reflectively load a DLL from the registry. Another PowerShell command is executed to create a scheduled task which will run a DLL stored in the registry at victim logon.
  • Defense Evasion - Delete Microsoft Defender scheduled scans and disable multiple Microsoft Defender security features.
  • Credential Access - Usage of the PowerShell variant of Mimikatz and laZagne has been observed, along with registry hive dumping.
  • Discovery - The PowerShell variant of SharpHound is used to enumerate the Active Directory domain and WMIC to check for antivirus. Advanced IP Scanner used to scan for specific open ports.
  • Lateral Movement - RDP, PSExec, and Invoke-WMIExec are used to pivot throughout the network.
  • Collection - Files were directly accessed on victim machines.
  • Command and Control - Cobalt Strike is used for C2 communication.

This TTP was designed to emulate GootLoader's execution and persistence capabilities. Microsoft Defender may flag some of these actions as `TrojanDownloader:PowerShell/GootKit.S!ams`

Testing

Execute `Are GootLoader malware procedures mitigated on this host?` in Operator on each host in your environment to test if you are vulnerable.

This TTP will download a zip file and save it to `$env:localappdata`. This zip file will contain a JScript file which will create two registry keys `HKCU:\SOFTWARE\Microsoft\Phone\%Username%` and `HKCU:\SOFTWARE\Microsoft\Phone\%Username%0`. These two registry keys will contain junk byte data to emulate the encoded payloads GootLoader saves in these registry locations. `Expand-Archive` will unzip the zip file, and `wscript.exe` is utilized to execute the JScript file to create these two registry keys. The exact PowerShell commands that GootLoader uses to load the malicious DLL reflectively and to create the scheduled task are then executed. The command to reflectively load the DLL will fail since the data saved in the registry keys are not the actual encoded malicious DLLs. The TTP will perform a conditional check to verify if the two registry keys and the scheduled task were created. Lastly, the TTP will delete all created artifacts.

Remediation

CISA recommends end-user awareness and training as "Immediate Actions You Can Take Now to Protect Against Malware." Visually inspecting if URLs are safe or malicious could help prevent a victim from clicking a link hosting malware. Change the file association for JScript files to `notepad.exe` instead of `wscript.exe`, as this will prevent immediate execution if a victim double-clicks the malicious JScript file. Ensuring your current protections log suspicious `wscript.exe` and `PowerShell.exe` processes, along with `scheduled task` and `registry key` creation, can help identify these malicious actions.

Are AZOrult malware procedures mitigated on this host?

At a high level, some of AZOrult capabilities are:

  • Initial Access - Phishing with Office documents, infected websites, and exploit kits.
  • Execution - Macro-enabled Office documents download the AZOrult loader via `mshta` and execute it via `PowerShell`.
  • Persistence - Windows Run keys are modified to fetch the payload, and `schtasks` is used to download an encoded DLL and load it via `PowerShell`.
  • Defense Evasion - `PowerShell` modifies registry keys to disable Windows Defender.
  • Credential Access - AZORult may dump credentials, including browser history, cookies, emails, social media credentials, and cryptocurrency wallets.
  • Discovery - AZORult may enumerate users, processes, files, and network configuration information.
  • Collection - Files were directly accessed on victim machines, including unsecured credentials in files.

This TTP was designed to emulate AZOrult's persistence and defense-evasion capabilities. Microsoft Defender may flag some of these actions as `Trojan:Win32/BatTamper.A`

Testing

Execute `Are AZOrult malware procedures mitigated on this host?` as an Administrator in Operator on each host in your environment to test if you are vulnerable.

This TTP will download a VBS script and save it to `$env:TEMP`. The script configures a Run key that launches `mshta`. Next, the TTP uses `schtasks` to create a scheduled task for persistence. Finally, the TTP executes a VBS script used by AZOrult to disable Windows Defender via registry key modifications.

Finally, the TTP downloads a VBS script from Operator that contains `PowerShell` commands to disable various Windows Defender protections.

Windows Defender will need to be re-enabled after running this TTP

Remediation

CISA recommends end-user awareness and training as "Immediate Actions You Can Take Now to Protect Against Malware." Ensure the organization logs processes and command-line information, especially from Office and applications that may execute arbitrary code. If possible, disable Office macro execution and remove local administrators from devices.

Check out the TTP Are AZOrult malware procedures mitigated on this host?.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current

See the latest kill chain and TTP Releases: https://chains.prelude.org

See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu

Reddit: https://www.reddit.com/r/preludeorg/

Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg

Read our blog: https://feed.prelude.org

Watch our live streams: https://www.twitch.tv/preludeorg

Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky

Alex: https://twitter.com/khyberspache

Kris: https://twitter.com/Xanthonus

Octavia: https://twitter.com/VV_X_7

Bart: https://twitter.com/bartimusprimed

Sam: https://twitter.com/heavenraiza

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Are GootLoader malware procedures mitigated on this host?

Tactics