CyberSecurityBoard
Sponsor Register Login

Dissecting GootLoader With Node.js

This article shows how to circumvent anti-analysis techniques from GootLoader malware while using Node.js debugging in Visual Studio Code.
In our debugging endeavor for GootLoader files, we use a Windows host with Node.js JavaScript runtime and Visual Studio Code installed.
By employing Node.js and Visual Studio Code, we can step through the JavaScript file's execution, set breakpoints in the code and use the immediate window to evaluate expressions.
As an obfuscation technique, the authors of GootLoader have interwoven lines of GootLoader code among legitimate JavaScript library code.
Throughout our debugging process, we observed the code execution that appeared to be seemingly stuck within the confines of a particular loop.
Below, Figure 2 shows a snippet of code from one of these loops.
To gain a better understanding of these loops, let's delve into the surrounding code from the loop in Figure 2.
Below, Figure 3 shows an isolated rendition of the original code that we will focus on.
In Figure 3, the while function within the code causes an infinite loop, because the variable jobcv is consistently assigned the value 1.
The successful execution of this line relies on the function array horsqe7 pointing to an actual function.
The loop persists until the counter oftenfs reaches the value 2597242, at which the function array horsqe7 references the sleepy function.
Inside the sleepy function, we observed a familiar function array name from Figure 3.
Code execution will land inside the indicate6 function.
Again with more delays, code execution will reach the course83 function shown below in Figure 6.
The function course83 is where the actual malicious code begins execution.
Finally, debugging the course83 function unveils and deobfuscates JavaScript code that initiates GootLoader's malicious functions.
Below, Figure 7 shows a section of the deobfuscated malicious GootLoader code.
The creators of GootLoader employed time-consuming while loops with arrays of functions to deliberately delay the execution of malicious code.
Table 1 lists the counter values and their assigned functions in the order they were called from the GootLoader JavaScript code.
Counter values and their assigned functions from the GootLoader sample.


This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Wed, 03 Jul 2024 22:13:05 +0000


Cyber News related to Dissecting GootLoader With Node.js

Dissecting GootLoader With Node.js - This article shows how to circumvent anti-analysis techniques from GootLoader malware while using Node.js debugging in Visual Studio Code. In our debugging endeavor for GootLoader files, we use a Windows host with Node.js JavaScript runtime and ...
3 days ago Unit42.paloaltonetworks.com
New Malware Uses Fileless Technique to Deploy Ransomware - The group behind the Windows Gootloader malware, known as UNC2565, has effectively modified the code to make it more intrusive and difficult to detect. Researchers at Mandiant noted UNC2565 started making significant adjustments to its operational ...
1 year ago Cybersecuritynews.com
Exploring the Increasing Danger of GootLoader - GootLoader is a malicious software that was created from GootKit, a banking trojan that first appeared in 2014. It has since been updated and given a new name to reflect its new purpose in 2021. The same group is responsible for both versions of the ...
1 year ago Securityweek.com
GootBot Implant Heightens Risk of Post-Infection Ransomware - A "GootBot" implant, a variant of the notorious Gootloader malware, has been discovered by the IBM X-Force team. In an advisory published Monday, X-Force noted that Gootloader has typically been utilized as an initial access malware. The introduction ...
7 months ago Infosecurity-magazine.com
Law Firms and Legal Departments Get Singled Out For Cyberattacks - Cyberattackers are doubling down on their attacks against law firms and corporate legal departments, moving beyond their historical activity of hacking and leaking secrets to targeting the sector with financial attacks, such as ransomware and ...
7 months ago Darkreading.com
Kubernetes DaemonSet: Monitoring in Kubernetes - That's why it makes sense to collect logs from every node and send them to some sort of central location outside the Kubernetes cluster for persistence and later analysis. A DaemonSet in Kubernetes is a specific kind of workload controller that ...
7 months ago Feeds.dzone.com
CVE-2023-26484 - KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used ...
1 year ago
CVE-2023-30840 - Fluid is an open source Kubernetes-native distributed dataset orchestrator and accelerator for data-intensive applications. Starting in version 0.7.0 and prior to version 0.8.6, if a malicious user gains control of a Kubernetes node running fluid csi ...
1 year ago
CVE-2024-38599 - In the Linux kernel, the following vulnerability has been resolved: jffs2: prevent xattr node from overflowing the eraseblock Add a check to make sure that the requested xattr node size is no larger than the eraseblock minus the cleanmarker. Unlike ...
2 weeks ago Tenable.com
Gootkit Malware Continues to Evolve with New Components and Obfuscations - The threat actors associated with the Gootkit malware have made "Notable changes" to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is monitoring the activity cluster under the moniker UNC2565, ...
1 year ago Thehackernews.com
Malicious Software Gootkit Utilizes Innovative Strategies to Target Healthcare and Financial Companies - Cybereason, a cybersecurity firm, recently discovered that the Gootkit malware is targeting healthcare and finance organizations in the U.S., U.K., and Australia. This malware has been linked to a threat actor known as UNC2565 and was first seen in ...
1 year ago Thehackernews.com
CVE-2021-37713 - The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of ...
2 years ago
CVE-2023-41332 - Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In Cilium clusters where Cilium's Layer 7 proxy has been disabled, creating workloads with `policy.cilium.io/proxy-visibility` annotations (in Cilium > ...
9 months ago
Hijacking Your Bandwidth How Proxyware Apps Open You Up to Risk - Is this true? To examine and understand the kind of risks a potential user might be exposed to by joining such programs, we recorded and analyzed network traffic from a large number of exit nodes of several different network bandwidth sharing ...
1 year ago Trendmicro.com
CVE-2018-12120 - Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote ...
1 year ago
CVE-2023-41041 - Graylog is a free and open log management platform. In a multi-node Graylog cluster, after a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time. Each node maintains an ...
10 months ago
CVE-2023-28842 - Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is ...
9 months ago
CVE-2021-21298 - Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with ...
3 years ago
CVE-2024-28863 - node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar ...
3 months ago
CVE-2021-32803 - The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would ...
2 years ago
CVE-2021-37712 - The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a ...
1 year ago
CVE-2021-37701 - The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a ...
1 year ago
CVE-2018-19983 - An issue was discovered on Sigma Design Z-Wave S0 through S2 devices. An attacker first prepares a Z-Wave frame-transmission program (e.g., Z-Wave PC Controller, OpenZWave, CC1110, etc.). Next, the attacker conducts a DoS attack against the Z-Wave S0 ...
4 years ago
CVE-2023-25653 - node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in `node-jose` ...
1 year ago
CVE-2022-36103 - Talos Linux is a Linux distribution built for Kubernetes deployments. Talos worker nodes use a join token to get accepted into the Talos cluster. Due to improper validation of the request while signing a worker node CSR (certificate signing request) ...
11 months ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)