The access-as-a-service (AaaS) malware Gootkit (a banking trojan that can deliver additional payloads, steal victim data, and reside in a compromised environment) is back with tactics and fileless delivery “Beacon” from Cobalt Strike with the help of which Russian government hackers have previously attacked users from Ukraine.
Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent called Beacon on a victim’s machine. Beacon contains many features for an attacker, including but not limited to command execution, key logging, file transfer, SOCKS proxy, privilege escalation, mimikatz, port scanning, and lateral traffic. The Beacon is in-memory, without a file, as it consists of stepless or multi-step shellcode that, when loaded by exploiting a vulnerability or executing a shellcode loader, will automatically load into process memory without using disk. It supports command-and-control server (C2) and staging over HTTP, HTTPS, DNS, SMB channels, and forward and reverse TCP. Cobalt Strike comes with a toolkit for developing shellcode loaders called Artifact Kit. The Beacon implant has become popular among targeted attackers and criminal users because it is well-written, stable, and easy to configure.
Gootkit software operates on an AaaS model, is used by various groups including APT28 and APT29 (Russia), APT32 (Vietnam), APT41 (China) and others to offload additional malware onto compromised systems and uses fileless methods to spread such threats as SunCrypt and “REvil” (“Sodinokibi”), Trojans “Kronos” and Cobalt Strike.
In the past, Gootkit distributed malware disguised as free installers, but now it uses legitimate documents to trick users into downloading these files. The chain of attacks begins with the fact that the user searches for certain information in the search engine. Attackers use black SEO and promotion techniques to display a website hacked by Gootkit operators in the search results.
After visiting the infected website, the victim sees that it is presented as, for example, an online forum that directly responds to his request. This forum hosts a ZIP archive that contains a malicious .js file used to install persistence and dump the Cobalt Strike binary into the infected system’s memory.
When a user downloaded and opened this file, it spawned an obfuscated script that installed a piece of encrypted code in the registry using registry padding and added scheduled tasks to save. The encrypted code in the registry was then reflexively loaded via PowerShell to reconstruct the Cobalt Strike binary that runs directly in memory without files.
Analysts note that the encrypted registries now use a special text replacement algorithm instead of base64 encoding, and believe that the Gootkit software is still actively developing and refining its methods, but has already proven quite successful in compromising targets.
The Cobalt Strike binary downloaded directly to the victim’s system memory connects to the IP address 22.214.171.124, which is the Cobalt Strike command and control (C2) server.
A combination of SEO tools and compromised legitimate websites can mask signs of malicious activity, including Russian-sponsored hackers. Using this tactic remains an effective way of luring unsuspecting users and emphasizes the importance of awareness and the responsibility of website owners to ensure cyber security. Users and organizations from Ukraine are likely to encounter Gootkit software in other cyber campaigns in the future that use new means of recruiting victims.