A lot has been written about GootLoader and the eventual malware that it drops (GootKit and/or REvil) by researchers far more knowledgable than myself – so I won’t tread too much on old ground.
I happened to come across an incident involving GootLoader recently and was impressed at the level of sophistication. My first attempt to work out what had been dropped on the victim machine left me confused. The web page that Defender’s telemetry indicated was the source of the infection seemed perfectly normal when I visited it.
Of course I wasn’t running this on a physical machine and the VM wasn’t running Windows. Hypothesising that this was due to my UserAgent string, I spoofed a different one – choosing a recent Chrome version on Windows 8.1. Still: no dice.
I’d gone direct to the web-page when it was far more likely that the victim user had browsed there from Google. Time for Tamper Data. I changed the referrer to spoof coming from a Google search. And… nothing. Still the same safe non-malicious page.
Frustrated, I loaded the home page for the site. What I saw surprised me. The entire page was in Italian. Why was I surprised? The page I was on previously was in English and the subject matter had nothing in common with what I was now seeing.
I went back to the suspect URL and looked at two things. Firstly I noted that at the bottom there was the “previous” and “next” buttons for WordPress Pages. The titles of the pages were English. Interesting! Secondly I pulled up the page source and had a look for suspicious content. Sure enough between script tags, an odd looking call was present.
Next I went looking at these other English pages being hosted on an otherwise Italian site. There was no connection between the pages, they seemed to make some sense, but they rambled on with no point to them. From one of the middle paragraphs, I copied one of the sentences and searched Google for it. There were a lot of hits and many seemed a bit suspicious to me. I clicked on one of the links… and there was the malware delivery page!
There are clearly thousands of infected sites serving this malware. It’s pretty clever misdirection going on as you’ll only ever get to the malware delivery page once in normal circumstances. What I learnt was that the script is checking not just your referrer, not just your UAString but also your IP. Everything has to be perfect or you won’t get to the page.
One thing I can share is a regex that can help you detect infected sites: \/\?[a-z,0-9]{7}=[0-9]{7}
Sites that match this regex between script tags have clearly been pwned and will serve badness to your users. If you have the means: detect and block!
The JavaScript that your unsuspecting users will dutifully extract and execute from the ZIP file dropped from the site is extremely well obfuscated. A good EDR should block execution of these, but will normally need some additional options activated – so check yours is configured correctly.
Stay safe out there!