Gootkit: Unveiling the Hidden Link with AZORult

Introduction

In the last days a huge attack campaign hit several organizations across the Italian cyberspace, as stated on bulletin N020219 the attack waves tried to impersonate legit communication from a known Express Courier. However, a deeper analysis by Cybaze-Yoroi ZLAB revealed interesting hidden aspects, spotting a connection between the AZORult toolkit and a particular Gootkit payload.

Technical analysis

Stage 1 – The Attached Javascript

Most of the infection attempts started with a particular email attachment: a compressed archive containing stealthy JavaScript code, most of the times able to avoid antivirus detection during the initial stages of the attack campaigns.

Hash12791e14ba82d36d434e7c7c0b81c7975ce802a430724f134b7e0cce5a7bb185
Threatmalicious js
DescObfuscated malicious JS. This download first component and keep communication with C2 server.

Table 1:  Generic information about malicious js file

This JS file is an obfuscated dropper with the purpose to download another component from a “safe” remote location:

Figure 1: Snippet from the JavaScript attachment

It contacts two distinct servers, googodsgld.]com and driverconnectsearch.]info. The behaviour of this sort of JavaScript stager is as essential as interesting: it downloads other executable code able to virtually do anything the attacker wants. This kind of pattern and the simplicity of the code itself remotely resemble the Brushaloader threat, a known dropper/stager written in VBScript and contacting its remote infrastructures in a similar manner. We can hypothesize that the malware writers may have emulated the Brushaloader stager functionalities, creating a sort of custom version exploiting the same mechanism.

Figure 2: Classic Brushaloader sample (left) along with the recent Javascript stager (right)
Figure 3: Encrypted communication with driverconnectsearch[.]info server

After the first contact attempt to googodsgld[.]com, the script communicates with the other destination and retrieves a Cabinet Archive encoded within the chunk of executable javascript code returned by driverconnectsearch[.]info. Then it stores it in “%APPDATA%\Local\Temp\”.  

As shown in Figure 3,  the first characters of the encoded payload string are “TVNDRg” which translates to “MSCF”: standard header of the Microsoft Cabinet compressed file format.

Figure 4: Javascript downloaded from diverconnectsearch[.]info server.

Stage 2 – The Cabinet

Actually, this .CAB archive is just a shell for a PE32 executable file:

Hash2274174ed24425f41362aa207168b491e6fb55cab208116070f91c049946097a
ThreatRuntimeBroker5.exe
DescFirst component downloaded by malicious js file.

Table 2:  Generic information about RuntimeBroker5.exe (AZORult)

Executing the RuntimeBroker5.exe sample, seems it behaves as another dropper: it downloads two other components from the remote server “hairpd[.]com”.

Figure 5: RuntimeBroker5.exe process execution

The sample file actually does not perform only this downlaod. Here one of the key point of the article: it also establishes a communication channel with the AZORult C2 host “ssl.]admin.]itybuy.]it”.

The network packet exchanged with the server confirms this identification due to the known communication patterns and the dynamic analysis also shows info-stealing behaviours compatible with the identified threat.

As shown in the following figure, the written files in “%APPDATA%\Local\Temp\” path closely match AZORult analysis described by Unit42 research group.

Figure 6: Evidence of the similarity of RuntimeBroker5.exe and AZORult malware variant analyzed by UNIT42
Figure 7: C2 Communication comparison

During the dynamic analysis, the RuntimeBroker5.exe sample received a sort of configuration file from the C2 server. We extracted it from the running malware image and decoded it:

firefox.exe
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
%appdata%\Mozilla\Firefox\Profiles\
MozillaFireFox
CurrentVersion
Install_Directory
nss3.dll
thunderbird.exe
SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
SOFTWARE\Mozilla\Mozilla Thunderbird
SOFTWARE\Classes\ThunderbirdEML\DefaultIcon
%appdata%\Thunderbird\Profiles\
ThunderBird
SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
NSS_Init
PK11_GetInternalKeySlot
PK11_Authenticate
PK11SDR_Decrypt
NSS_Shutdown
PK11_FreeSlot
logins.json
logins
hostname
timesUsed
encryptedUsername
encryptedPassword
cookies.sqlite
formhistory.sqlite
%LOCALAPPDATA%\Google\Chrome\User Data\
%LOCALAPPDATA%\Google\Chrome SxS\User Data\
%LOCALAPPDATA%\Xpom\User Data\
%LOCALAPPDATA%\Yandex\YandexBrowser\User Data\
%LOCALAPPDATA%\Comodo\Dragon\User Data\
%LOCALAPPDATA%\Amigo\User Data\
%LOCALAPPDATA%\Orbitum\User Data\
%LOCALAPPDATA%\Bromium\User Data\
%LOCALAPPDATA%\Chromium\User Data\
%LOCALAPPDATA%\Nichrome\User Data\
%LOCALAPPDATA%\RockMelt\User Data\
%LOCALAPPDATA%\360Browser\Browser\User Data\
%LOCALAPPDATA%\Vivaldi\User Data\
%APPDATA%\Opera Software\
%LOCALAPPDATA%\Go!\User Data\
%LOCALAPPDATA%\Sputnik\Sputnik\User Data\
%LOCALAPPDATA%\Kometa\User Data\
%LOCALAPPDATA%\uCozMedia\Uran\User Data\
%LOCALAPPDATA%\QIP Surf\User Data\
%LOCALAPPDATA%\Epic Privacy Browser\User Data\
%APPDATA%\brave\
%LOCALAPPDATA%\CocCoc\Browser\User Data\
%LOCALAPPDATA%\CentBrowser\User Data\
%LOCALAPPDATA%\7Star\7Star\User Data\
%LOCALAPPDATA%\Elements Browser\User Data\
%LOCALAPPDATA%\TorBro\Profile\
%LOCALAPPDATA%\Suhba\User Data\
%LOCALAPPDATA%\Safer Technologies\Secure Browser\User Data\
%LOCALAPPDATA%\Rafotech\Mustang\User Data\
%LOCALAPPDATA%\Superbird\User Data\
%LOCALAPPDATA%\Chedot\User Data\
%LOCALAPPDATA%\Torch\User Data\
GoogleChrome
GoogleChrome64
InternetMailRu
YandexBrowser
ComodoDragon
Amigo
Orbitum
Bromium
Chromium
Nichrome
RockMelt
360Browser
Vivaldi
Opera
GoBrowser
Sputnik
Kometa
Uran
QIPSurf
Epic
Brave
CocCoc
CentBrowser
7Star
ElementsBrowser
TorBro
Suhba
SaferBrowser
Mustang
Superbird
Chedot
Torch
Login Data
Web Data
SELECT origin_url, username_value, password_value FROM logins
SELECT host_key, name, encrypted_value, value, path, secure, (expires_utc/1000000)-11644473600 FROM cookies
SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
SELECT name, value FROM autofill
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
%APPDATA%\Microsoft\Windows\Cookies\
%APPDATA%\Microsoft\Windows\Cookies\Low\
%LOCALAPPDATA%\Microsoft\Windows\INetCache\
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\
InternetExplorer
InternetExplorerLow
InternetExplorerINetCache
MicrosoftEdge_AC_INetCookies
MicrosoftEdge_AC_001
MicrosoftEdge_AC_002
MicrosoftEdge_AC
Software\Microsoft\Internet Explorer
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
POP3
IMAP
SMTP
HTTP
%appdata%\Waterfox\Profiles\
Waterfox
%appdata%\Comodo\IceDragon\Profiles\
IceDragon
%appdata%\8pecxstudios\Cyberfox\Profiles\
Cyberfox
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_column_bytes
sqlite3_finalize
%APPDATA%\filezilla\recentservers.xml
<RecentServers>
</RecentServers>
<Server>
</Server>
<Host>
</Host>
<Port>
</Port>
<User>
</User>
<Pass>
</Pass>
<Pass encoding="base64">
FileZilla
ole32.dll
CLSIDFromString
{4BF4C442-9B8A-41A0-B380-DD4A704DDB28}
{3CCD5499-87A8-4B10-A215-608888DD3B55}
vaultcli.dll
VaultOpenVault
VaultEnumerateItems
VaultGetItem
MicrosoftEdge
Browsers\AutoComplete
CookieList.txt
SELECT host_key, name, encrypted_value, value, path, is_secure, (expires_utc/1000000)-11644473600 FROM cookies
%appdata%\Moonchild Productions\Pale Moon\Profiles\
PaleMoon
%appdata%\Electrum\wallets\
\Electrum
%appdata%\Electrum-LTC\wallets\
\Electrum-LTC
%appdata%\ElectrumG\wallets\
\ElectrumG
%appdata%\Electrum-btcp\wallets\
\Electrum-btcp
%APPDATA%\Ethereum\keystore\
\Ethereum
%APPDATA%\Exodus\
\Exodus
\Exodus Eden
*.json,*.seco
%APPDATA%\Jaxx\Local Storage\
\Jaxx\Local Storage\
%APPDATA%\MultiBitHD\
\MultiBitHD
mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml
.wallet
wallets\.wallet
wallet.dat
wallets\wallet.dat
electrum.dat
wallets\electrum.dat
Software\monero-project\monero-core
wallet_path
Bitcoin\Bitcoin-Qt
BitcoinGold\BitcoinGold-Qt
BitCore\BitCore-Qt
Litecoin\Litecoin-Qt
BitcoinABC\BitcoinABC-Qt
%APPDATA%\Exodus Eden\
%Appdata%\Psi+\profiles\
%Appdata%\Psi\profiles\
<roster-cache>
</roster-cache>
<jid type="QString">
<password type="QString">
</password>

Table 3: AZORult Configuration file

The multiple references to Browser Cookies and CryptoWallets confirms the “RuntimeBroker5.exe” sample, initially hidden into the cabilet archive,  is an AZORult variant.

Stage 3 – The Payload

The other file download from hairpd[.]com by AZORult’s sample is another executable PE32.

Figure 8: GET request to download the payload.
Hasha75b318eb2ae6678fd15f252d6b33919203262eb59e08ac32928f8bad54ca612
Threatsputik.exe
Descrizione BreveSecond component downloaded by malware. This component is alive after the infection.

Table 4:  Generic information about sputik.exe (Gootkit)

The “sputik.exe” uses a set of evasion techniques to avoid the monitoring of the process, such as invoking the “UuidCreateSequential” API to detect the usage of typical virtual machine’s MAC addresses, but this technique can be easily bypassed by spoofing a real network card one.

Figure 9: Evasion technique through the check “UuidCreateSequential” API call

Bypassing all the evasion techniques reveals the nature of the payload: a Gootkit malware implant.

Figure 10: Command line of the final sample

By instrumenting the execution of the implant, we were able to extract part of the JavaScript code of the malware. The Gootkit implant counts several modules written on top of NodeJS technology embedded into the PE file, revealing part of the implant code.

Figure 11: Portion of Gootkit code snippet

In the past years, Gootkit source code have been leaked online and part of it is also available on the Github platform. This way we were able to investigate differences between the extracted snippets and the known, previously leaked, malware version.

Figure 12: Comparison between extracted Gootkit version and the leaked one

As general consideration, we noticed a lot of similarities between the codes, they are perfectly compatible, but few differences holds. For instance private keys and certificates have been modified, showing the malware author choose a stronger key.

Table 5:  Certificate comparison
(New on the left, known/leaked on the right)

Conclusion

These attack waves targeting italian organization and users revealed interesting connections between two threats we was used to monitor and detect across both the InfoSec community and the CERT-Yoroi’s constituency, revealing a hidden link connecting this particular AZORult instance and with the Gootkit implant.

Also, the analysis pointed to an evolution of the dropping techniques used in the initial stages of the attacks by cyber-criminals, showing how the usage of extremely flexible stagers written in high level languages, JavaScript in this case, is becoming more popular and needs to be carefully monitored.

Indicator of Compromises

  • Dropurl:
    • hairpd[.com/stat/stella.exe
    • hairpd[.com/stat/sputik.exe
    • ivanzakharov91[.example[.com
    • googodsgld[.com
    • 185.154.21[.208
    • driverconnectsearch.info
    • host.colocrossing.com
    • 192.3.179[.203
  • Components:
    • RuntimeBroker5.exe 2274174ed24425f41362aa207168b491e6fb55cab208116070f91c049946097a
    • stella.exe
      6f51bf05c9fa30f3c7b6b581d4bbf0194d1725120b242972ca95c6ecc7eb79bc
    • sputik              a75b318eb2ae6678fd15f252d6b33919203262eb59e08ac32928f8bad54ca612
  • C2 (AZORult)
    • ssl[.admin[.itybuy[.it
  • C2 (gootkit):
    • avant-garde[.host
    • kinzhal[.online
  • Hash:
    • 2274174ed24425f41362aa207168b491e6fb55cab208116070f91c049946097a
    • 6f51bf05c9fa30f3c7b6b581d4bbf0194d1725120b242972ca95c6ecc7eb79bc
    • a75b318eb2ae6678fd15f252d6b33919203262eb59e08ac32928f8bad54ca612
    • 12791e14ba82d36d434e7c7c0b81c7975ce802a430724f134b7e0cce5a7bb185

Yara rules

rule Gootkit_11_02_2019{

	meta:
  	description = "Yara Rule for Gootkit"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_02_11"
  	tlp = "white"
  	category = "informational"

	strings:
    		 $a = {4D 5A}
   		 $b1 = {2D EE 9D 00 04 29 76 EC 00 00 F9}
   		 $c1 = {E6 C5 1F 2A 04 5A C8}
   		 $d1 = "LoadCursorW"
    		 $b2 = {75 0E E8 84 8D FF FF 83 CF FF C7}
    		 $c2 = {B9 C7 25 E7 00 5A 00 00 BA}
    		 $d2 = "GetCurrentPosition"

	condition:
    		 $a and (($b1 and $c1 and $d1) or ($b2 and $c2 and $d2))
}

rule Azorult_11_02_2019{

	meta:
  	description = "Yara Rule for Azorult"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_02_11"
  	tlp = "white"
  	category = "informational"

	strings:
   		 $a = "MZ"
   		 $b = {44 00 02 00 00 00 6A 04 58 6B C0 00 8B 0D}
    		 $c = {00 00 8B 45 0C 8B 55 F8 39 50 0C 74 10 68}
    		 $d = {41 00 FF D6 8B D8 89 5D D4 85 DB 74 74 FF 35}

	condition:
    		 all of them
}

This blog post was authored by Luigi Martire, Davide Testa and Luca Mella of Cybaze-Yoroi Z-LAB

2 thoughts on “Gootkit: Unveiling the Hidden Link with AZORult”

Comments are closed.