Researchers deal blow to Gootloader gang that supported REvil

Security researchers at managed detection and response (MDR) specialist eSentire have revealed how they are turning the tables on an expansive cyber crime operation that has lured in thousands of people working at law firms and in-house legal departments in the UK, Australia, Canada and the US over the past 15 months.

Known as Gootloader, the operation specialises in obtaining initial access to victim networks and then offers this on an as-a-service basis to downstream cyber criminals, including the REvil ransomware operation which hacked a law firm representing the then US president Donald Trump in 2020.

Gootloader has been a long-standing threat since at least 2020, and was named as one of CISA’s top threats in 2021.

ESentire’s Threat Response Unit (TRU), led by Joe Stewart and Keegan Keplinger, has stopped attacks on 12 different organisations in which employees were lured to compromised WordPress blogs that Gootloader’s operators have gamed to the top of Google search rankings using a technique known as search engine optimisation (SEO) poisoning.

From these blogs, they were prompted to download the Gootloader malware disguised as fake legal agreements and contracts, thus giving the operation access to their system.

“Gootloader is a cunning and dangerous threat that preys on those seeking business information and legal forms online,” said Stewart. “Innocent users can be easily lured in by Gootloader’s fake posts, unknowingly exposing themselves to ransomware attacks.

“It’s like a trap, waiting in the shadows for its next unsuspecting victim to stumble into its grasp. It’s up to security researchers to shine a light on this dark corner of the internet and protect those who are just trying to find the information they need to get their job done.”

How it works

In the case of Gootloader, the operation keeps its cards close to its chest in such a way that the malicious payloads are never displayed to logged-in users of the compromised WordPress sites, meaning even the site admins may be entirely aware they are being taken advantage of. It also blocks the IP addresses of the admins, and several netblocks above and below their IP addresses to stop them from viewing the malicious pages even if they log out of WordPress.

These blocklist features are also built into the server that actually delivers the malicious payload – a victim can only receive it once, and will then be blocked for 24 hours across any Gootloader-compromised site.

This may seem a little counter-intuitive, but it is in part an obfuscation tactic as it is a barrier to investigation by researchers or incident responders – who must then obfuscate their own identities if they wish to revisit a compromised site.

It’s this feature that Stewart and Keplinger have now turned to their advantage. Each time a victim arrives, the Gootloader server receives several different types of data, including their IP address, which is the relevant factor here.

Because the server relies on the compromised blog to feed it said IP address, it’s possible to block any IPv4 address on the internet from seeing any Gootloader compromised blog by crafting a “malicious” request to the server that emulates a “legitimate” request.

Furthermore, because the Gootloader server blocks netblocks of IP addresses above and below the victim’s IP address, it’s possible to protect the entire global IPv4 network space by sending a total of 800,000 requests to the Gootloader server every 24 hours.

But it doesn’t stop here. By “abusing” the blocklist that keeps WordPress site admins in the dark, Stewart and Keplinger were also able to use proxy IP addresses to block a large swathe of the internet permanently – although only from Gootloader sites that have user registration or use third-party OAUTH logins enabled.

The researchers claimed that since implementing these techniques against Gootloader across the eSentire MDR for Network service, not a single customer has been compromised. Stewart and Keplinger are now spreading the word further through partnerships and collaborations with others.

“By leveraging the Gootloader threat actor’s own criteria for delivering payloads, we were able to block thousands of IPs from receiving the Gootloader payload, significantly reducing the potential victim pool,” said Stewart.

“It was a unique approach that helped us disrupt the Gootloader Operation and protect innocent users from falling prey to this dangerous malware,” he said. “I’m proud of the work we’ve done to combat this threat, and I hope our approach inspires others to adopt similar tactics to protect against malware.

“Building a crawler to uncover the hundreds of thousands of latent Gootloader landing pages on compromised WordPress blogs was no small feat. It required significant research and development time to create a tool that could efficiently crawl and identify these pages. However, the payoff in terms of uncovering these landing pages and sharing this information with other security researchers and organisations made it all worth it. By collaborating and sharing our findings, we can work together to combat this dangerous malware and protect innocent victims from becoming the next target for Gootloader’s ransomware operator’s customers.”

Nevertheless, Stewart said it was also imperative that those who operate WordPress sites in their organisations take more steps to improve their own cyber security and protect themselves from being coopted into Gootloader’s bait pool.

“By neglecting site security, operators are putting not only their own data at risk, but also contributing to a larger issue that threatens the safety and security of the internet as a whole,” he said. “It’s every website owner’s duty to secure their web properties and help prevent malware like Gootloader from using their sites to harm innocent users.”

REvil connections

During the course of their work, Stewart and Keplinger additionally firmed up long-posited links between Gootloader and the notorious REvil ransomware crew, which wrought havoc over a multi-year period – their most significant operation arguably being the Kaseya supply chain attack.

By analysing the timing of various REvil campaigns targeting English, French, German and Korean speaking organisations, and specifically law firms in English-speaking countries, they have now proved the two worked together from 2019 – when REvil first emerged as a successor to Gandcrab – through to 2022.

They believe that Gootloader was almost continuously feeding victims to REvil and as such was an “integral factor” in the ransomware gang’s success, and because Gootloader is still actively netting victims, it’s possible its operators are working with a successor operation to REvil to this day, or worse, Russian state-backed groups, as Keplinger explained.

“Many [REvil members] were allegedly arrested by the Russian government in January 2022, just before the Ukraine invasion,” he said.

“Following Russia’s invasion of Ukraine in 2022, prosecution of REvil gang members appeared to stall, just as it was recently reported that some of the defendants’ attorneys were suggesting that their clients ‘be released to work for Russian security services’ and that ‘the unique experience of the former defendants would certainly be useful to the Russian special services in the fight against hackers from Ukraine’.”

Leave a Reply

Your email address will not be published. Required fields are marked *