Don’t Drink from That! Gootloader Watering Hole Leads to REvil Attack

By Arete Forensics Team

Gootloader Watering Hole - ReVil

REvil, more commonly referred to as Sodinokibi, is one of the most prolific ransomware threat groups currently active in the cyber extortion space. In the past year alone, Arete has responded to countless incidents where REvil has facilitated cyberattacks against client sites.

From our investigations, we have curated and documented threat intelligence to better understand the group’s tactics, techniques, and procedures (TTPs). Based on incident analysis, the threat group primarily leverages three main vectors to gain initial access to targeted environments:

  • They exploit externally facing and unsecured Remote Desktop Protocol (RDP).
  • They leverage access to a compromised remote management platform, such as ScreenConnect/ConnectWise or NinjaRMM.
  • Or, they leverage compromised VPN appliances.

Other entry and deployment methodologies have been employed previously by the REvil group, such as the WinRAR Italia distributor supply chain attack in June of 2019. However, based off of the numerous REvil attacks we have responded to since the group’s inception, the above methodologies are those most commonly leveraged by the REvil threat group.

During a recent incident, however, we noted an interesting change in the group’s initial  access tactics, whereby they leveraged a successful Cobalt Strike compromise, which was initially introduced into the victim environment by way of the execution of Gootloader that was downloaded from a fraudulent messaging forum.

Arete Analysis

During our investigation, we identified the root cause of this incident as a successful watering hole attack that had impacted an employee workstation.

While conducting an online search for legal contract agreements specific to septic systems, the employee selected a site that a Google search had returned. Unbeknownst to the employee, threat actors had compromised the site, configuring it to display a malicious web page designed to look like an active messaging forum.

As shown below, the forum’s first post appeared to come from a user — display name “Emma Hill” — who had requested the same type of legal contract agreement that the employee had been searching for. The web page also made it seem that another user — display name “Admin” — had replied to the initial post, providing a direct download link to the requested document.

 

 

Gootloader Watering Hole

Figure 1: Malicious web page that appears to show a legitimate messaging forum

 

In this case, the hyperlinked text reached out to an external domain, one that was hosting a PHP script named down.php. When clicked, this link fetched a request to this PHP script, which then automatically downloaded a ZIP archive that contained a highly obfuscated JavaScript file. This JavaScript file had the same name as the ZIP archive. The content of this JavaScript file is below:

 

Gootloader Watering Hole

Figure 2: JavaScript file

Based on our analysis and the fact that we observed Cobalt Strike indicators on the endpoint less than an hour later, this JavaScript file was attributed to the Gootkit Remote Access Trojan (RAT), which was then further leveraged to introduce a secondary payload, Cobalt Strike, into the victim environment.  A REvil threat actor leveraged this initial compromise to gain access into this organization’s environment and, approximately eight (8) days later, deployed the REvil ransomware.

Another interesting observation from the analysis of this web page was that, after visiting the site from the same IP address in a short amount of time, the page redirected the end user to a different web page, one with a title page indicative of the legal contract the user was searching for. Unfortunately, this web page was simply a veil designed to shroud the site’s compromise and suppress any user suspicions.

 

Gootloader Watering Hole

Figure 3: Web page after initial site visitation

Indicators

Based on analysis performed during this engagement, Arete has compiled a list of indicators for public use and incorporation into security infrastructure.

Zip Archive Containing JavaScript Payload

  • MD5: E435D74D8A4009C955635C11DA1D3AFC
  • SHA1: F7C620AD560CDA2A9BA90B3E17C6D43A5FB91B44
  • SHA256: 2D6AB5C855F86032C4B2213B7FC5E53F0A772B4F709AE85299B8D33C1867845C

JavaScript Payload

  • MD5: 31C8B072C6FF386645DB60A4D9E121BB
  • SHA1: F6D85FFE4CA1A77F0DF7FE2379D6BB2103B6EE15
  • SHA256: 71C838EAC60AFBFE39728887240781AA5A10E0E563FB4AC259F965BFCD1FD5EA

Domains Serving Zip Archive

  • https[:]//www[.]vacanzenelmediterraneo[.]com/down.php
    • IPv4: 89.46.108[.]30
  • https[:]//www[.]thursdaybram[.]com/down.php
    • IPv4: 104.131.158[.]83
  • https[:]//yukata-sienne[.]jp/down.php
    • IPv4: 183.181.97[.]13
  • https[:]//www[.]frerecapucinbenin[.]org/down.php
    • IPv4: 94.177.165[.]14
  • https[:]//www[.]willkommen[.]org[.]rs/down.php
    • IPv4: 46.151.128[.]3

Watering Hole Communication Strings

  • Hi, I am looking to*A friend of mine told me he had seen it on your forum. I will appreciate any help here.
  • Here is a direct download link,
  • Thank you so much for your response! This is exactly what Ive been looking for
  • Thank you, Admin
  • Issue resolved. The ticket can be closed.

Fraudulent Forum – Full

Post a Comment