Gootkit: Unveiling the Hidden Link with AZORult
Cybaze-Yoroi ZLAB revealed interesting a hidden connection between the AZORult toolkit and specific Gootkit payload.
Introduction
In the last days, a huge attack campaign hit several organizations across the Italian cyberspace, as stated on bulletin N020219 the attack waves tried to impersonate legit communication from a known Express Courier. However, a deeper analysis by Cybaze-Yoroi ZLAB revealed interesting hidden aspects, spotting a connection between the AZORult toolkit and a particular Gootkitpayload.
Technical analysis
Stage 1 – The Attached Javascript
Most of the infection attempts started with a particular email attachment: a compressed archive containing stealthy JavaScript code, most of the times able to avoid antivirus detection during the initial stages of the attack campaigns.
Hash | 12791e14ba82d36d434e7c7c0b81c7975ce802a430724f134b7e0cce5a7bb185 |
Threat | malicious js |
Desc | Obfuscated malicious JS. This download first component and keep communication with C2 server. |
Table 1: Generic information about malicious js file
This JS file is an obfuscated dropper with the purpose to download another component from a “safe” remote location:
It contacts two distinct servers, googodsgld.]com and driverconnectsearch.]info. The behaviour of this sort of JavaScript stager is as essential as interesting: it downloads other executable code able to virtually do anything the attacker wants. This kind of pattern and the simplicity of the code itself remotely resemble the Brushaloader threat, a known dropper/stager written in VBScript and contacting its remote infrastructures in a similar manner. We can hypothesize that the malware writers may have emulated the Brushaloader stager functionalities, creating a sort of custom version exploiting the same mechanism.
After the first contact attempt to googodsgld[.]com, the script communicates with the other destination and retrieves a Cabinet Archive encoded within the chunk of executable javascript code returned by driverconnectsearch[.]info. Then it stores it in “%APPDATA%LocalTemp”.
As shown in Figure 3, the first characters of the encoded payload string are “TVNDRg” which translates to “MSCF”: standard header of the Microsoft Cabinet compressed file format.
Stage 2 – The Cabinet
Actually, this .CAB archive is just a shell for a PE32 executable file:
Hash | 2274174ed24425f41362aa207168b491e6fb55cab208116070f91c049946097a |
Threat | RuntimeBroker5.exe |
Desc | First component downloaded by malicious js file. |
Table 2: Generic information about RuntimeBroker5.exe (AZORult)
Executing the RuntimeBroker5.exe sample, seems it behaves as another dropper: it downloads two other components from the remote server “hairpd[.]com”.
The sample file actually does not perform only this downlaod. Here one of the key point of the article: it also establishes a communication channel with the AZORult C2 host “ssl.]admin.]itybuy.]it”.
The network packet exchanged with the server confirms this identification due to the known communication patterns and the dynamic analysis also shows info-stealing behaviours compatible with the identified threat.
As shown in the following figure, the written files in “%APPDATA%LocalTemp” path closely match AZORult analysis described by Unit42 research group.
During the dynamic analysis, the RuntimeBroker5.exe sample received a sort of configuration file from the C2 server. We extracted it from the running malware image and decoded it:
- firefox.exe
- SOFTWAREWow6432NodeMozillaMozilla Firefox
- SOFTWAREMozillaMozilla Firefox
- SOFTWAREClientsStartMenuInternetFIREFOX.EXEshellopencommand
- SOFTWAREMicrosoftWindowsCurrentVersionApp Pathsfirefox.exe
- %appdata%MozillaFirefoxProfiles
- MozillaFireFox
- CurrentVersion
- Install_Directory
- nss3.dll
- thunderbird.exe
- SOFTWAREWow6432NodeMozillaMozilla Thunderbird
- SOFTWAREMozillaMozilla Thunderbird
- SOFTWAREClassesThunderbirdEMLDefaultIcon
- %appdata%ThunderbirdProfiles
- ThunderBird
- SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
- SELECT fieldname, value FROM moz_formhistory
- NSS_Init
- PK11_GetInternalKeySlot
- PK11_Authenticate
- PK11SDR_Decrypt
- NSS_Shutdown
- PK11_FreeSlot
- logins.json
- logins
- hostname
- timesUsed
- encryptedUsername
- encryptedPassword
- cookies.sqlite
- formhistory.sqlite
- %LOCALAPPDATA%GoogleChromeUser Data
- %LOCALAPPDATA%GoogleChrome SxSUser Data
- %LOCALAPPDATA%XpomUser Data
- %LOCALAPPDATA%YandexYandexBrowserUser Data
- %LOCALAPPDATA%ComodoDragonUser Data
- %LOCALAPPDATA%AmigoUser Data
- %LOCALAPPDATA%OrbitumUser Data
- %LOCALAPPDATA%BromiumUser Data
- %LOCALAPPDATA%ChromiumUser Data
- %LOCALAPPDATA%NichromeUser Data
- %LOCALAPPDATA%RockMeltUser Data
- %LOCALAPPDATA%360BrowserBrowserUser Data
- %LOCALAPPDATA%VivaldiUser Data
- %APPDATA%Opera Software
- %LOCALAPPDATA%Go!User Data
- %LOCALAPPDATA%SputnikSputnikUser Data
- %LOCALAPPDATA%KometaUser Data
- %LOCALAPPDATA%uCozMediaUranUser Data
- %LOCALAPPDATA%QIP SurfUser Data
- %LOCALAPPDATA%Epic Privacy BrowserUser Data
- %APPDATA%brave
- %LOCALAPPDATA%CocCocBrowserUser Data
- %LOCALAPPDATA%CentBrowserUser Data
- %LOCALAPPDATA%7Star7StarUser Data
- %LOCALAPPDATA%Elements BrowserUser Data
- %LOCALAPPDATA%TorBroProfile
- %LOCALAPPDATA%SuhbaUser Data
- %LOCALAPPDATA%Safer TechnologiesSecure BrowserUser Data
- %LOCALAPPDATA%RafotechMustangUser Data
- %LOCALAPPDATA%SuperbirdUser Data
- %LOCALAPPDATA%ChedotUser Data
- %LOCALAPPDATA%TorchUser Data
- GoogleChrome
- GoogleChrome64
- InternetMailRu
- YandexBrowser
- ComodoDragon
- Amigo
- Orbitum
- Bromium
- Chromium
- Nichrome
- RockMelt
- 360Browser
- Vivaldi
- Opera
- GoBrowser
- Sputnik
- Kometa
- Uran
- QIPSurf
- Epic
- Brave
- CocCoc
- CentBrowser
- 7Star
- ElementsBrowser
- TorBro
- Suhba
- SaferBrowser
- Mustang
- Superbird
- Chedot
- Torch
- Login Data
- Web Data
- SELECT origin_url, username_value, password_value FROM logins
- SELECT host_key, name, encrypted_value, value, path, secure, (expires_utc/1000000)-11644473600 FROM cookies
- SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
- SELECT name, value FROM autofill
- SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
- %APPDATA%MicrosoftWindowsCookies
- %APPDATA%MicrosoftWindowsCookiesLow
- %LOCALAPPDATA%MicrosoftWindowsINetCache
- %LOCALAPPDATA%PackagesMicrosoft.MicrosoftEdge_8wekyb3d8bbweACINetCookies
- %LOCALAPPDATA%PackagesMicrosoft.MicrosoftEdge_8wekyb3d8bbweAC#!001MicrosoftEdgeCookies
- %LOCALAPPDATA%PackagesMicrosoft.MicrosoftEdge_8wekyb3d8bbweAC#!002MicrosoftEdgeCookies
- %LOCALAPPDATA%PackagesMicrosoft.MicrosoftEdge_8wekyb3d8bbweACMicrosoftEdgeCookies
- InternetExplorer
- InternetExplorerLow
- InternetExplorerINetCache
- MicrosoftEdge_AC_INetCookies
- MicrosoftEdge_AC_001
- MicrosoftEdge_AC_002
- MicrosoftEdge_AC
- SoftwareMicrosoftInternet Explorer
- SoftwareMicrosoftInternet ExplorerIntelliFormsStorage2
- SoftwareMicrosoftWindows NTCurrentVersionWindows Messaging SubsystemProfilesOutlook
- SoftwareMicrosoftOffice15.0OutlookProfilesOutlook
- SoftwareMicrosoftOffice16.0OutlookProfilesOutlook
- POP3
- IMAP
- SMTP
- HTTP
- %appdata%WaterfoxProfiles
- Waterfox
- %appdata%ComodoIceDragonProfiles
- IceDragon
- %appdata%8pecxstudiosCyberfoxProfiles
- Cyberfox
- sqlite3_open
- sqlite3_close
- sqlite3_prepare_v2
- sqlite3_step
- sqlite3_column_text
- sqlite3_column_bytes
- sqlite3_finalize
- %APPDATA%filezillarecentservers.xml
- <RecentServers>
- </RecentServers>
- <Server>
- </Server>
- <Host>
- </Host>
- <Port>
- </Port>
- <User>
- </User>
- <Pass>
- </Pass>
- <Pass encoding=”base64?>
- FileZilla
- ole32.dll
- CLSIDFromString
- {4BF4C442-9B8A-41A0-B380-DD4A704DDB28}
- {3CCD5499-87A8-4B10-A215-608888DD3B55}
- vaultcli.dll
- VaultOpenVault
- VaultEnumerateItems
- VaultGetItem
- MicrosoftEdge
- BrowsersAutoComplete
- CookieList.txt
- SELECT host_key, name, encrypted_value, value, path, is_secure, (expires_utc/1000000)-11644473600 FROM cookies
- %appdata%Moonchild ProductionsPale MoonProfiles
- PaleMoon
- %appdata%Electrumwallets
- Electrum
- %appdata%Electrum-LTCwallets
- Electrum-LTC
- %appdata%ElectrumGwallets
- ElectrumG
- %appdata%Electrum-btcpwallets
- Electrum-btcp
- %APPDATA%Ethereumkeystore
- Ethereum
- %APPDATA%Exodus
- Exodus
- Exodus Eden
- *.json,*.seco
- %APPDATA%JaxxLocal Storage
- JaxxLocal Storage
- %APPDATA%MultiBitHD
- MultiBitHD
- mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml
- .wallet
- wallets.wallet
- wallet.dat
- walletswallet.dat
- electrum.dat
- walletselectrum.dat
- Softwaremonero-projectmonero-core
- wallet_path
- BitcoinBitcoin-Qt
- BitcoinGoldBitcoinGold-Qt
- BitCoreBitCore-Qt
- LitecoinLitecoin-Qt
- BitcoinABCBitcoinABC-Qt
- %APPDATA%Exodus Eden
- %Appdata%Psi+profiles
- %Appdata%Psiprofiles
- <roster-cache>
- </roster-cache>
- <jid type=”QString”>
- <password type=”QString”>
- </password>
Table 3: AZORult Configuration file
The multiple references to Browser Cookies and CryptoWallets confirms the “RuntimeBroker5.exe” sample, initially hidden into the cabilet archive, is an AZORult variant.
Stage 3 – The Payload
The other file download from hairpd[.]com by AZORult’s sample is another executable PE32.
Hash | a75b318eb2ae6678fd15f252d6b33919203262eb59e08ac32928f8bad54ca612 |
Threat | sputik.exe |
Descrizione Breve | Second component downloaded by malware. This component is alive after the infection. |
Table 4: Generic information about sputik.exe (Gootkit)
The “sputik.exe” uses a set of evasion techniques to avoid the monitoring of the process, such as invoking the “UuidCreateSequential” API to detect the usage of typical virtual machine’s MAC addresses, but this technique can be easily bypassed by spoofing a real network card one.
Bypassing all the evasion techniques reveals the nature of the payload: a Gootkit malware implant.
By instrumenting the execution of the implant, we were able to extract part of the JavaScript code of the malware. The Gootkit implant counts several modules written on top of NodeJS technology embedded into the PE file, revealing part of the implant code.
In the past years, Gootkit source code have been leaked online and part of it is also available on the Github platform. This way we were able to investigate differences between the extracted snippets and the known, previously leaked, malware version.
As general consideration, we noticed a lot of similarities between the codes, they are perfectly compatible, but few differences holds. For instance private keys and certificates have been modified, showing the malware author choose a stronger key.
Table 5: Certificate comparison
(New on the left, known/leaked on the right)
Conclusion
These attack waves targeting italian organization and users revealed interesting connections between two threats we was used to monitor and detect across both the InfoSec community and the CERT-Yoroi’s constituency, revealing a hidden link connecting this particular AZORult instance and with the Gootkit implant.
Also, the analysis pointed to an evolution of the dropping techniques used in the initial stages of the attacks by cyber-criminals, showing how the usage of extremely flexible stagers written in high level languages, JavaScript in this case, is becoming more popular and needs to be carefully monitored.
Further details, including Indicators of Compromise (IoCs), are reported in the analysis published on the Yoroi Blog.
This post Gootkit: Unveiling the Hidden Link with AZORult originally appeared on Security Affairs.