news.sophos.com
Open in
urlscan Pro
2a04:fa87:fffd::c000:42e3
Public Scan
URL:
https://news.sophos.com/en-us/2024/11/06/bengal-cat-lovers-in-australia-get-psspsspssd-in-google-driven-gootloader-campa...
Submission: On November 07 via api from TR — Scanned from DE
Submission: On November 07 via api from TR — Scanned from DE
Form analysis 4 forms found in the DOM
GET https://news.sophos.com/en-us/
<form role="search" method="get" action="https://news.sophos.com/en-us/">
<input type="text" class="block w-full text-lg text-white placeholder-gray-100 bg-blue-800 border-0 rounded-md font-sansMedium font-medium" placeholder="Type to Search News" x-ref="searchInput" name="s">
<div class="absolute inset-y-0 right-0 flex items-center px-3">
<button class="hover:opacity-100 opacity-60 p-1 text-xs text-white uppercase rounded-full cursor-pointer" type="submit"> Search </button>
</div>
</form>GET https://news.sophos.com/en-us/
<form role="search" method="get" action="https://news.sophos.com/en-us/">
<input type="text" class="focus:ring-blue-600 focus:border-blue-600 sm:text-sm block w-full placeholder-gray-600 border-gray-300 rounded-md" placeholder="Search News" name="s">
<div class="absolute inset-y-0 right-0 flex items-center px-3 pointer-events-none">
<button class="p-1 text-gray-500 rounded-full" type="submit">
<span class="sr-only">Search</span>
<!-- Heroicon name: outline/bell -->
<svg class="w-4 h-4" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="3" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"></path>
</svg>
</button>
</div>
</form>POST https://news.sophos.com/wp-comments-post.php
<form action="https://news.sophos.com/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate="">
<p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p>
<p class="comment-form-comment"><label for="comment">Comment <span class="required">*</span></label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required=""></textarea></p>
<p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" autocomplete="name" required=""></p>
<p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" name="email" type="email" value="" size="30" maxlength="100" aria-describedby="email-notes" autocomplete="email" required=""></p>
<p class="comment-form-url"><label for="url">Website</label> <input id="url" name="url" type="url" value="" size="30" maxlength="200" autocomplete="url"></p>
<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time
I comment.</label></p>
<input type="hidden" name="redirect_to" value="https://news.sophos.com/en-us/2024/11/06/bengal-cat-lovers-in-australia-get-psspsspssd-in-google-driven-gootloader-campaign/" id="redirect_to">
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="958247" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="aca7012cdc"></p>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js"
value="1730945613775">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>Name: mc-embedded-subscribe-form — POST https://sophos.us2.list-manage.com/subscribe/post?u=2a2849a8c809119f4bd4929cc&id=8d6471d831&f_id=007062e1f0
<form action="https://sophos.us2.list-manage.com/subscribe/post?u=2a2849a8c809119f4bd4929cc&id=8d6471d831&f_id=007062e1f0" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="validate" target="_blank"
novalidate="novalidate">
<div id="mc_embed_signup_scroll">
<div class="mc-field-group">
<input type="email" name="EMAIL" class="required email" id="mce-EMAIL" required="" value="" placeholder="name@email.com" aria-required="true">
<div id="mce-responses" class="clear flex flex-col my-6">
<div class="response font-sansMedium px-4 py-3 mt-2 text-sm font-medium text-white bg-black border rounded-md" id="mce-error-response" style="display: none;"></div>
<div class="response font-sansMedium px-4 py-3 mt-2 text-sm font-medium text-white bg-black border rounded-md" id="mce-success-response" style="display: none;"></div>
</div>
</div>
<div class="mc-field-group input-group mb-4 text-lg"> Which categories are you interested in? <ul>
<li><input type="checkbox" name="group[3][1]" id="mce-group[3]-3-0" value=""><label for="mce-group[3]-3-0" class="text-style-form-label ml-2">Products and Services</label></li>
<li><input type="checkbox" name="group[3][2]" id="mce-group[3]-3-1" value=""><label for="mce-group[3]-3-1" class="text-style-form-label ml-2">Threat Research</label></li>
<li><input type="checkbox" name="group[3][4]" id="mce-group[3]-3-2" value=""><label for="mce-group[3]-3-2" class="text-style-form-label ml-2">Security Operations</label></li>
<li><input type="checkbox" name="group[3][8]" id="mce-group[3]-3-3" value=""><label for="mce-group[3]-3-3" class="text-style-form-label ml-2">AI Research</label></li>
<li><input type="checkbox" name="group[3][16]" id="mce-group[3]-3-4" value=""><label for="mce-group[3]-3-4" class="text-style-form-label ml-2">#SophosLife</label></li>
</ul>
</div>
<div aria-hidden="true" style="position: absolute; left: -5000px;">
<input type="text" name="b_2a2849a8c809119f4bd4929cc_8d6471d831" tabindex="-1" value="">
</div>
<div class="clear">
<input type="submit" name="subscribe" id="mc-embedded-subscribe" class="round-button round-button--primary" value="Subscribe">
</div>
</div>
</form>Text Content
Skip to content Search * Products & Services * Security Operations * Threat Research * AI Research * Naked Security * Sophos Life Search Open main menu Search * Products & Services * Security Operations * Threat Research * AI Research * Naked Security * Sophos Life BENGAL CAT LOVERS IN AUSTRALIA GET PSSPSSPSS’D IN GOOGLE-DRIVEN GOOTLOADER CAMPAIGN The Internet is full of cats—and in this case, malware-delivering fake cat websites used for very targeted search engine optimization. Written by Trang Tang, Hikaru Koike, Asha Castle, Sean Gallagher November 06, 2024 Security Operations Threat Research Gootloader Javascript loader search engine poisoning SEO Poisoning Once used exclusively by the cybercriminals behind REVil ransomware and the Gootkit banking trojan, GootLoader and its primary payload have evolved into an initial access as a service platform—with Gootkit providing information stealing capabilities as well as the capability to deploy post-exploitation tools and ransomware. GootLoader is known for using search engine optimization (SEO) poisoning for its initial access. Victims are often enticed into clicking on malicious adware or links disguised as legitimate marketing, or in this case a legitimate Google search directing the user to a compromised website hosting a malicious payload masquerading as the desired file. If the malware remains undetected on the victim’s machine, it makes way for a second-stage payload known as GootKit, which is a highly evasive info stealer and remote access Trojan (RAT) used to establish a persistent foothold in the victim’s network environment. GootKit can be used to deploy ransomware or other tools, including Cobalt Strike, for follow-on exploitation. Detection of a new GootLoader variant actively being used by adversaries earlier this year led to a broad threat hunting campaign by Sophos X-Ops MDR for GootLoader instances across customer environments. As is typical of Gootloader, the new variant was found to be using SEO poisoning—the use of search engine optimization tactics to put malicious websites controlled by GootLoader’s operators high in the results for specific search terms—to deliver the new, JavaScript-based Gootloader package. In this case, we found the GootLoader actors using search results for information about a particular cat and a particular geography being used to deliver the payload: “Are Bengal Cats legal in Australia?” During the threat hunt campaign, MDR discovered a .zip archive used to deliver GootLoader’s first-stage payload while reviewing an impacted user’s browser history. This allowed MDR to identify the compromised website that was hosting the malicious payload. This report highlights the MDR investigation process and the technical details of the uncovered GootLoader campaign. TECHNICAL ANALYSIS AND IDENTIFICATION FIRST-STAGE PAYLOAD On March 27, 2024, the MDR team performed a proactive threat hunting campaign across multiple customers estates, following recently reported identification of a new GootLoader variant being actively exploited in the wild. Our investigation revealed the threat actor was using SEO poisoning through an easily accessed online forum found via a simple Google search, initiated by the user for ‘Do you need a license to own a Bengal cat in Australia’. The first search result took us to this URL: hxxps[://]ledabel[.]be/en/are-bengal-cats-legal-in-australia-understanding-the-laws-and-regulations/#:~:text=Each%20state%20and%20territory%20in,to%20keep%20them%20as%20pets. Immediately after the user clicks the link, a suspicious .zip file was downloaded to C:\Users\<Username>\Downloads\Are_bengal_cats_legal_in_australia_33924.zip onto the victim’s machine, and the user’s browser was directed to the URL hxxps:[//]www[.]chanderbhushan[.]com/doc[.]php. Figure 1: An SEO-poisoned site hosting a malicious .zip file SECOND-STAGE PAYLOAD Upon review of the running processes, we were able to determine that a small JavaScript file was dropping a large JavaScript file at the location C:\Users\<Username>\AppData\RoamingMicrosoft\ on the user’s machine. During our testing, the large JavaScript file generated by the malicious site and its name, downloaded to the user’s %temp% directory, were different each time the initial JavaScript was executed. The file we observed in this case was named Temp1_Are_bengal_cats_legal_in_australia_33924.zip\are_bengal_cats_legal_in_australia_80872.js. We additionally observed the creation of a scheduled task named “Business Aviation” with the command line “wscript REHABI~1.JS” (as shown in Figure 3). This was suspected to be a persistence method in which the threat actor was utilizing WScript.exe to execute the second-stage payload of GootKit. Figure 2: A log of running processes, including the execution of wscript.exe to launch the second stage via a scheduled task. Figure 3: A scheduled task is created to launch the second stage JavaScript. We also noted the utilization of the command C:\Windows\System32\cscript.exe REHABI~1.JS spawning PowerShell.exe, as shown in Figure 4. The cscript.exe command line tool is specific to Windows Server. The commands passed to PowerShell were not captured in this case. Figure 4: A PowerShell command line spawned by CScript However, examining the URL history, we observed PowerShell.exe reaching out to the following domains, as shown in Figure 5. Third-stage payload In the case the MDR team examined, our team did not observe the third stage being successful in reaching a full deployment of GootKit, preventing the download of any additional malicious tooling. This stage typically is where the deployment of additional tools such as Cobalt Strike occurs, or when ransomware is added to the victim’s machine. MALWARE TRIAGE STATIC ANALYSIS MDR performed a static analysis of the of the .zip sample obtained from the malicious URL hxxps[://]ledabel[.]be/en/are-bengal-cats-legal-in-australia-understanding-the-laws-and-regulations/#:~:text=In%20most%20cases%2C%20you%20do,a%20Bengal%20cat%20in%20Australia. Within the zip file was a JavaScript named “are bengal cats legal in australia 72495.js”. As we noted above, the JavaScript’s name is modified each time the file is downloaded with a different concluding numerical sequence. This was also observed when extracting the small JavaScript from the zip file, as shown in Figure 6. For example, users may observe a filename with are bengal cats legal in australia 75876.zip instead, when attempting to obtain a sample from the malicious URL. Figure 6: Sandboxed browser (Browserling) results when accessing the website and clicking on the malicious hyperlinked URL A string analysis of the dropped file was not useful in identifying its intent, as the JavaScript was heavily obfuscated—as is common in Gootloader samples. The script also included boilerplate licensing comments to make it appear to be a legitimate JavaScript, as shown in Figure 7. Figure 7: The Strings output of are bengal cats legal in australia 72495.js However, Strings analysis of the secondary larger JavaScript that was downloaded into C:\Users\<Username>\AppData\Roaming\Notepad++\Small Unit Tactics.js revealed a heavily obfuscated script, as shown in Figure 8. Figure 8: The Strings output of C:\Users\\AppData\Roaming\Notepad++\Small Unit Tactics.js MDR used a Python script created by Mandiant for auto-decoding of GootLoader JavaScript to statically analyze the initially downloaded Are_bengal_cats_legal_in_australia_72495.js. As shown in Figure 9, the file was identified as Gootloader variant 3.0 through the obfuscation method, where the first file created was named Huthwaite SPIN selling.dat followed by Small Units Tactics.js and Scheduled Task named Destination Branding. The decoder also identified various malicious domain names within the obfuscated strings. Figure 9: Mandiant’s python script for auto-decoding GootLoader’s JavaScript displays the output of Are_bengal_cats_legal_in_australia_72495.js DYNAMIC ANALYSIS Figure 10: The process Monitor CreateFile event for WScript.exe upon execution of Are_bengal_cats_legal_in_australia_72495.js Various dynamic analysis tools were utilized to examine the behavior of the malicious JavaScript. Upon execution, WScript.exe was observed creating the first file located within C:\Users\<Username>\AppData\Roaming\Notepad++\ , as shown in Figure 10. Despite being observed via Windows Sysinternals Process Monitor with a CreateFile event, this was not written to disk and no deletion event was seen. Shortly after Wscript.exe executed Are_bengal_cats_legal_in_australia_72495.js, Process Hacker showed CScript.exe and Powershell.exe being created with a conhost.exe spawned, as shown in Figure 11. MDR observed that Wscript.exe would terminate, followed by Cscript.exe that would also terminate shortly after, after which Powershell.exe was created. Figure 11: Process behavior observed within Source Forge’s Process Hacker Persistence was obtained via CScript.exe executing the file SMALLU~1.js via a scheduled task named Destination Branding (with command line wscript SMALLU ~1.js , as shown in Figure 12). During the lab analysis, the secondary JavaScript can be dropped within any folders located within C:\Users\<Username>\AppData\Roaming\<at any existing folder>. Figure 12: Process Hacker process properties and Scheduled Task creation (click to enlarge) MDR conducted network and C2 examinations using Wireshark and FakeNet to perform a network capture during the execution of Are_bengal_cats_legal_in_australia_72495.js. FakeNet showed various domain names being reached out to with GET /xmlrpc.php HTTP/1.1 requests via Powershell.exe. The requests contained Base64-encoded cookies which, when decoded, showed enumeration information regarding device directories and host information such as the folder path of C:\Users\<Username>\AppData\Roaming\ , as shown in Figure 13. As shown below, the process would read USERNAME and USER DOMAIN information and send the data to the URIs. Figure 13a: FakeNet capture containing encoded Base64 cookies Figure 13b: CyberChef-decoded data Examination of the PCAP capture lists various domain names that were also identified during static analysis, as shown in Figure 14. These domain names and IOCs have been classified by Sophos Labs as malware/callhome ; the initial and secondary JavaScript files are classified as JS/Drop-DIJ and JS/Gootkit-AW respectively. Figure 14: Malicious domain names observed within DNS requests through Wireshark PCAP MITRE MAPPING The following chart maps the observed tactics to the MITRE ATT&CK® framework. Tactic Technique Sub-Technique ID Reconnaissance Resource Development Stage Capabilities Upload Malware SEO Poisoning T1608.001 T1608.006 Initial Access Drive-by Compromise T1189 Execution Command and Scripting Interpreter JavaScript T1059.007 Persistence Scheduled Task/Job Scheduled Task T1053.005 Privilege Escalation Defense Evasion Obfuscated Files or Information Embedded Payloads T1027.009 Credential Access Discovery System Information Discovery T1082 Lateral Movement Collection Command and Control Exfiltration Exfiltration Over Web Service T1567 Impact CONCLUSION GootLoader is one of a number of continuing malware-delivery-as-a-service operations that heavily leverage search results as a means to reach victims. The use of search engine optimization, and abuse of search engine advertising to lure targets to download malware loaders and dropper, are not new—GootLoader has been doing this since at least 2020, and we’ve observed Raccoon Stealer and other malware-as-a-service operations doing the same for just as long. But we’ve seen continued growth in this approach to initial compromise, with several massive campaigns using this technique over the past year. Sophos endpoint protection blocks GootLoader through a number of behavioral and malware-specific detections. But users should still look out for search results and search advertisements that seem too good to be true on domains that are off the beaten path—whether they’re looking to get a Bengal Cat or not. INDICATORS OF COMPROMISE A list of IOCs is available as a CSV file in the Sophos GitHub repository here. * Share on Facebook * Share on X * Share on LinkedIn * About the Author TRANG TANG Trang Tang is a Threat Analyst for Sophos MDR Operations in Australia. She previously served as a cyber operator in the Royal Australian Navy. About the Author HIKARU KOIKE Hikaru Koike is a Sophos MDR Analyst based in Tokyo, Japan. He previously worked as a Security Operations Center Analyst for Accenture Japan. About the Author ASHA CASTLE Asha Castle is a Threat Analyst for Sophos MDR in Australia. She has a certificate in Cybersecurity from Monash University. About the Author SEAN GALLAGHER Sean Gallagher is Principal Threat Researcher, Sophos X-Ops. Prior to joining Sophos, he was an information security and technology journalist for over 30 years, including 10 as information security and national security editor for Ars Technica. READ SIMILAR ARTICLES May 24, 2021 WHAT TO EXPECT WHEN YOU’VE BEEN HIT WITH AVADDON RANSOMWARE May 19, 2021 WHAT’S NEW IN SOPHOS EDR 4.0 May 19, 2021 SOPHOS XDR: DRIVEN BY DATA LEAVE A REPLY CANCEL REPLY Your email address will not be published. Required fields are marked * Comment * Name * Email * Website Save my name, email, and website in this browser for the next time I comment. Δ Subscribe to get the latest updates in your inbox. Which categories are you interested in? * Products and Services * Threat Research * Security Operations * AI Research * #SophosLife Change Region * América Latina * Brasil * Deutschland * English * France * Iberia * Italia * Japan Terms Privacy * Privacy Notice * Cookies Legal * General * Modern Slavery Statement * Speak Out © 1997 - 2024 Sophos Ltd. All rights reserved Go to mobile version