Between November 13-20, 2024, Blackpoint’s Security Operations Center (SOC) responded to 687 total incidents across on-premises, Microsoft 365, and Google Workspace protected environments. This week included multiple instances of possible Gootloader.
In this blog, we’ll dive into the details of Blackpoint’s SOC Gootloader responses, why the matter for our partners, and possible mitigations using your existing tech stack alongside Blackpoint Cyber’s managed services.
Gootloader Incident
Topline Takeaways
- Industry targets: Healthcare, Industrials, Professional & Commercial Services, Technology, and Real Estate
- Blackpoint SOC actions:
- Isolated impacted devices
- Deleted persistence methods (scheduled tasks)
- Contacted partner
- Attacker information:
- Gootloader
- wscript to run scheduled tasks
- JavaScript files
- Recommended mitigations:
- Minimize the use of scripting languages.
- Regularly audit both environment and endpoints.
- Consider the use of a content proxy.
Incident Timelines
Blackpoint’s SOC identified a consistent pattern in Gootloader incidents they have responded to; as a result, Blackpoint’s SOC conducted a threat hunt and identified potential Gootloader-related scheduled tasks. Blackpoint’s SOC was able to successfully remove the identified threats and work alongside partners to mitigate any identified malicious activities as well as remove Gootloader related persistence methods.
2024-11-19: Healthcare Partner
Blackpoint’s SOC identified JavaScript persistence via scheduled task on a host of a healthcare partner. The naming schema of the JavaScript file was consistent with Gootloader infections, SECOND~1.js, and translated to a file, Secondary Education.js. The scheduled task was run via wscript. Blackpoint’s SOC did not identify any active netstat connections related to the infection at the time of the investigation.
2024-11-19: Industrials
Blackpoint’s SOC identified JavaScript persistence via a scheduled task, run via wscript, on a host of an industrials partner. The flagged file associated with the activity was LOCALG~1.JS. Blackpoint’s SOC identified the JavaScript likely responsible for initial infection was Local Government Finance.js. Blackpoint’s SOC did not identify any active netstat connections related to the infection at the time of the investigation. In this incident, Blackpoint’s SOC identified that the initial infection file was a .zip file related to debt and tax topics, which is consistent with previously observed Gootloader infections – often titles related to agreements, finance, or contracts.
2024-11-19: Professional & Commercial Services
Blackpoint’s SOC identified a scheduled task run via wscript on the host of a professional & commercial services partner. Blackpoint’s SOC identified the scheduled task “Proactive self-starter” present on the machine, which triggered wscript to launch ARCHIT~1.JS. This is consistent with Gootloader infections.
2024-11-19: Technology
Blackpoint’s SOC identified JavaScript persistence via scheduled task on the host of a technology partner. The flagged file associated with the suspicious activity was WEBSTE~1.JS, which is consistent with Gootloader infections. Blackpoint’s SOC identified that the file likely responsible was Webster Techique.js. Blackpoint’s SOC did not identify any netstat connections related to the potential infection on the host at the time of investigation.
2024-11-19: Real Estate
Blackpoint’s SOC identified JavaScript persistence via a scheduled task on the host of a real estate partner. The flagged file related to the activity was ENGINE~1.JS, consistent with previously reported Gootloader infections. Blackpoint’s SOC identified that there is an even chance that the initial file responsible for the suspicious activity was Calgary_police_requirements_74223.zip, which is also consistent with previously observed and reported Gootloader infections.
More About Gootloader
Gootloader is a first-stage downloader designed to target Windows-based systems and has been active since at least 2020. The malware is often used as an Initial-Access-as-a-Service (IAaaS) tool that has been reported to deploy second stage payloads, including ransomware, stealer malware, and Cobalt Strike beacons. Gootloader has been reported to gain initial access via malicious JavaScirpt files that impersonate legitimate documents, social engineering attacks with malicious ZIP attachments, and search engine optimization (SEO) poisoning to lure victims to drive-by download campaigns that deliver the first stage payload.
Threat actors likely find Gootloader an attractive option due to its stealthiness, effectiveness, and the ability to load second stage payloads. Additionally, the Gootloader developers, reportedly Hive0127(aka UNC2565), have consistently updated the malware, with Gootloader 3 reportedly being the latest available version. In August 2024, ReliaQuest security researchers reported that Gootloader accounted for 16% of all malware loaders they observed in 2024.
APG Threat Analysis for Gootloader
Blackpoint’s Adversary Pursuit Group (APG) predicts the continued use of Gootloader for initial access, deploying second-stage malware, and to gain persistence over the next 12 months.
In November 2023, the U.S. CISA released a #StopRansomware report related to the Rhysida ransomware and warned that the operators had been observed using Gootloader for initial access and deploying the ransomware payload. Gootloader has also been reported to deploy malware, such as IcedID, Cobalt Strike, and SystemBC, which have all been reportedly used during publicly reported ransomware attacks previously including Black Basta, BianLian, and Akira.
Mitigations
- Minimize the use of – or implement strict controls on – scripting languages, as threat actors often rely on scripting languages, such as JavaScript, to deploy malware and conduct malicious activities.
- Regularly audit both environment and endpoints to identify potential rogue applications and potential old/unused accounts that should be removed.
- Consider the use of a content proxy to monitor internet usage and restrict user access to suspicious or potentially risky websites, including potential SEO poisoning traps.