Don’t Drink from That! Gootloader Watering Hole Leads to REvil Attack
By Arete Forensics Team
REvil, more commonly referred to as Sodinokibi, is one of the most prolific ransomware threat groups currently active in the cyber extortion space. In the past year alone, Arete has responded to countless incidents where REvil has facilitated cyberattacks against client sites.
From our investigations, we have curated and documented threat intelligence to better understand the group’s tactics, techniques, and procedures (TTPs). Based on incident analysis, the threat group primarily leverages three main vectors to gain initial access to targeted environments:
- They exploit externally facing and unsecured Remote Desktop Protocol (RDP).
- They leverage access to a compromised remote management platform, such as ScreenConnect/ConnectWise or NinjaRMM.
- Or, they leverage compromised VPN appliances.
Other entry and deployment methodologies have been employed previously by the REvil group, such as the WinRAR Italia distributor supply chain attack in June of 2019. However, based off of the numerous REvil attacks we have responded to since the group’s inception, the above methodologies are those most commonly leveraged by the REvil threat group.
During a recent incident, however, we noted an interesting change in the group’s initial access tactics, whereby they leveraged a successful Cobalt Strike compromise, which was initially introduced into the victim environment by way of the execution of Gootloader that was downloaded from a fraudulent messaging forum.
During our investigation, we identified the root cause of this incident as a successful watering hole attack that had impacted an employee workstation.
While conducting an online search for legal contract agreements specific to septic systems, the employee selected a site that a Google search had returned. Unbeknownst to the employee, threat actors had compromised the site, configuring it to display a malicious web page designed to look like an active messaging forum.
As shown below, the forum’s first post appeared to come from a user — display name “Emma Hill” — who had requested the same type of legal contract agreement that the employee had been searching for. The web page also made it seem that another user — display name “Admin” — had replied to the initial post, providing a direct download link to the requested document.
Another interesting observation from the analysis of this web page was that, after visiting the site from the same IP address in a short amount of time, the page redirected the end user to a different web page, one with a title page indicative of the legal contract the user was searching for. Unfortunately, this web page was simply a veil designed to shroud the site’s compromise and suppress any user suspicions.
Based on analysis performed during this engagement, Arete has compiled a list of indicators for public use and incorporation into security infrastructure.
- MD5: E435D74D8A4009C955635C11DA1D3AFC
- SHA1: F7C620AD560CDA2A9BA90B3E17C6D43A5FB91B44
- SHA256: 2D6AB5C855F86032C4B2213B7FC5E53F0A772B4F709AE85299B8D33C1867845C
- MD5: 31C8B072C6FF386645DB60A4D9E121BB
- SHA1: F6D85FFE4CA1A77F0DF7FE2379D6BB2103B6EE15
- SHA256: 71C838EAC60AFBFE39728887240781AA5A10E0E563FB4AC259F965BFCD1FD5EA
Domains Serving Zip Archive
- IPv4: 89.46.108[.]30
- IPv4: 104.131.158[.]83
- IPv4: 183.181.97[.]13
- IPv4: 94.177.165[.]14
- IPv4: 46.151.128[.]3
Watering Hole Communication Strings
- Hi, I am looking to*A friend of mine told me he had seen it on your forum. I will appreciate any help here.
- Here is a direct download link,
- Thank you so much for your response! This is exactly what Ive been looking for
- Thank you, Admin
- Issue resolved. The ticket can be closed.