Dissecting GootLoader With Node.js

This article shows how to circumvent anti-analysis techniques from GootLoader malware while using Node.js debugging in Visual Studio Code.
In our debugging endeavor for GootLoader files, we use a Windows host with Node.js JavaScript runtime and Visual Studio Code installed.
By employing Node.js and Visual Studio Code, we can step through the JavaScript file's execution, set breakpoints in the code and use the immediate window to evaluate expressions.
As an obfuscation technique, the authors of GootLoader have interwoven lines of GootLoader code among legitimate JavaScript library code.
Throughout our debugging process, we observed the code execution that appeared to be seemingly stuck within the confines of a particular loop.
Below, Figure 2 shows a snippet of code from one of these loops.
To gain a better understanding of these loops, let's delve into the surrounding code from the loop in Figure 2.
Below, Figure 3 shows an isolated rendition of the original code that we will focus on.
In Figure 3, the while function within the code causes an infinite loop, because the variable jobcv is consistently assigned the value 1.
The successful execution of this line relies on the function array horsqe7 pointing to an actual function.
The loop persists until the counter oftenfs reaches the value 2597242, at which the function array horsqe7 references the sleepy function.
Inside the sleepy function, we observed a familiar function array name from Figure 3.
Code execution will land inside the indicate6 function.
Again with more delays, code execution will reach the course83 function shown below in Figure 6.
The function course83 is where the actual malicious code begins execution.
Finally, debugging the course83 function unveils and deobfuscates JavaScript code that initiates GootLoader's malicious functions.
Below, Figure 7 shows a section of the deobfuscated malicious GootLoader code.
The creators of GootLoader employed time-consuming while loops with arrays of functions to deliberately delay the execution of malicious code.
Table 1 lists the counter values and their assigned functions in the order they were called from the GootLoader JavaScript code.
Counter values and their assigned functions from the GootLoader sample.


This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Wed, 03 Jul 2024 22:13:05 +0000


Cyber News related to Dissecting GootLoader With Node.js

Dissecting GootLoader With Node.js - This article shows how to circumvent anti-analysis techniques from GootLoader malware while using Node.js debugging in Visual Studio Code. In our debugging endeavor for GootLoader files, we use a Windows host with Node.js JavaScript runtime and ...
5 months ago Unit42.paloaltonetworks.com
New Malware Uses Fileless Technique to Deploy Ransomware - The group behind the Windows Gootloader malware, known as UNC2565, has effectively modified the code to make it more intrusive and difficult to detect. Researchers at Mandiant noted UNC2565 started making significant adjustments to its operational ...
1 year ago Cybersecuritynews.com
Exploring the Increasing Danger of GootLoader - GootLoader is a malicious software that was created from GootKit, a banking trojan that first appeared in 2014. It has since been updated and given a new name to reflect its new purpose in 2021. The same group is responsible for both versions of the ...
1 year ago Securityweek.com
GootBot Implant Heightens Risk of Post-Infection Ransomware - A "GootBot" implant, a variant of the notorious Gootloader malware, has been discovered by the IBM X-Force team. In an advisory published Monday, X-Force noted that Gootloader has typically been utilized as an initial access malware. The introduction ...
1 year ago Infosecurity-magazine.com
Law Firms and Legal Departments Get Singled Out For Cyberattacks - Cyberattackers are doubling down on their attacks against law firms and corporate legal departments, moving beyond their historical activity of hacking and leaking secrets to targeting the sector with financial attacks, such as ransomware and ...
1 year ago Darkreading.com
Kubernetes DaemonSet: Monitoring in Kubernetes - That's why it makes sense to collect logs from every node and send them to some sort of central location outside the Kubernetes cluster for persistence and later analysis. A DaemonSet in Kubernetes is a specific kind of workload controller that ...
1 year ago Feeds.dzone.com
Gootkit Malware Continues to Evolve with New Components and Obfuscations - The threat actors associated with the Gootkit malware have made "Notable changes" to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is monitoring the activity cluster under the moniker UNC2565, ...
1 year ago Thehackernews.com
Malicious Software Gootkit Utilizes Innovative Strategies to Target Healthcare and Financial Companies - Cybereason, a cybersecurity firm, recently discovered that the Gootkit malware is targeting healthcare and finance organizations in the U.S., U.K., and Australia. This malware has been linked to a threat actor known as UNC2565 and was first seen in ...
1 year ago Thehackernews.com
CVE-2023-26484 - KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used ...
1 year ago
CVE-2023-30840 - Fluid is an open source Kubernetes-native distributed dataset orchestrator and accelerator for data-intensive applications. Starting in version 0.7.0 and prior to version 0.8.6, if a malicious user gains control of a Kubernetes node running fluid csi ...
1 year ago
CVE-2024-38599 - In the Linux kernel, the following vulnerability has been resolved: jffs2: prevent xattr node from overflowing the eraseblock Add a check to make sure that the requested xattr node size is no larger than the eraseblock minus the cleanmarker. Unlike ...
6 months ago Tenable.com
CVE-2024-50200 - In the Linux kernel, the following vulnerability has been resolved: maple_tree: correct tree corruption on spanning store Patch series "maple_tree: correct tree corruption on spanning store", v3. There has been a nasty yet subtle maple tree ...
1 month ago Tenable.com
CVE-2024-50301 - In the Linux kernel, the following vulnerability has been resolved: security/keys: fix slab-out-of-bounds in key_task_permission KASAN reports an out of bounds read: BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 BUG: KASAN: ...
1 month ago Tenable.com
CVE-2021-37713 - The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of ...
2 years ago
CVE-2023-41332 - Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In Cilium clusters where Cilium's Layer 7 proxy has been disabled, creating workloads with `policy.cilium.io/proxy-visibility` annotations (in Cilium > ...
1 year ago
Hijacking Your Bandwidth How Proxyware Apps Open You Up to Risk - Is this true? To examine and understand the kind of risks a potential user might be exposed to by joining such programs, we recorded and analyzed network traffic from a large number of exit nodes of several different network bandwidth sharing ...
1 year ago Trendmicro.com
CVE-2018-12120 - Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote ...
2 years ago
CVE-2023-41041 - Graylog is a free and open log management platform. In a multi-node Graylog cluster, after a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time. Each node maintains an ...
1 year ago
CVE-2024-49856 - In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Fix deadlock in SGX NUMA node search When the current node doesn't have an EPC section configured by firmware and all other EPC sections are used up, CPU can get stuck ...
2 months ago Tenable.com
CVE-2024-53075 - In the Linux kernel, the following vulnerability has been resolved: riscv: Prevent a bad reference count on CPU nodes When populating cache leaves we previously fetched the CPU device node at the very beginning. But when ACPI is enabled we go through ...
1 month ago Tenable.com
CVE-2023-28842 - Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is ...
1 year ago
CVE-2021-21298 - Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with ...
3 years ago
CVE-2024-28863 - node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar ...
9 months ago
CVE-2021-32803 - The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would ...
2 years ago
CVE-2021-37712 - The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a ...
1 year ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)