Rewterz Threat Alert – REvil Ransomware Returns with Gootkit Malware

Severity

High

Analysis Summary

Gootkit information-stealing Trojan has made a return alongside the REvil ransomware. The Gootkit Trojan is Javascript-based malware that performs various malicious activities, including remote access for threat actors, keystroke capturing, video recording, email theft, password theft, and the ability to inject malicious scripts to steal online banking credentials. 

In this new malicious campaign, threat actors are hacking WordPress sites and utilizing SEO poisoning to display fake forum posts to visitors. These posts pretend to be a question and answers with a link to fake forms or downloads. When the user clicks on the link, they will download a ZIP file containing an obfuscated JS file that will install either the Gootkit malware or the REvil ransomware. The malicious JavaScript payloads will perform fileless attacks of either Gootkit or REvil. When launched, the JavaScript script will connect to its command and control server and downloads another script that contains the malicious malware payload. 

After conversion to ASCII, the next JavaScript is revealed, and the code is executed. This JavaScript comes with an embedded PE payload which may be either a loader for Gootkit, or for the REvil ransomware. There are also some differences in the algorithm used to deobfuscate it. The loader will eventually read the Registry or text file’s payloads, decode it, and filelessly launch the process directly into memory. Using obfuscated payloads and to break them up into pieces stored in the Registry, makes it harder for security software to detect the malicious payloads. The threat actors behind this campaign are using a very clever loader that performs a number of steps to evade detection. Given that the payload is stored within the registry under a randomly-named key, many security products will not be able to detect and remove it.

Impact

• Credential Theft
• Theft of Financial Information
• Unauthorized Remote Access
• Unauthorized Code Execution
• Detection Evasion
• Files Encryption

Indicators of Compromise

Domain Name

• www[.]alona[.]org[.]cy
• m-uhde[.]de
• doedlinger-erdbau[.]at
• alona[.]org[.]cy

Filename

• tarifvertrag_metall-_und_elektroindustrie_hessen_download[.]js

MD5

• 1f15d4de305b1cc9269d818411167091
• b1eeac1e826abec46801630f0bb3bdb3
• 28fc2ddbfd615f88c695d0e9b49a7865
• f8c308feafe4f50a38712b573fa9bc44
• 84cc11bd25f9b8a2471e2ec3659284ef
• e5fabe055ae746e2f4af55a8a5f790ee
• f2e9b4bbb5436a87abd020850a0bccd3

SHA-256

• 7aec3ed791529182c0f64ce34415c3c705a79f3d628cbcff70c34a9f73d8ff42
• 1b8bf8dc75a9fccb3ba4ef7a08264cf31a2bd960231170ec28d78d0d234b378e
• 973d0318f9d9aec575db054ac9a99d96ff34121473165b10dfba60552a8beed4
• 60aef1b657e6c701f88fc1af6f56f93727a8f4af2d1001ddfa23e016258e333f
• 327916a876fa7541f8a1aad3c2270c2aec913bc8898273d545dc37a85ef7307f
• 0e451125eaebac5760c2f3f24cc8112345013597fb6d1b7b1c167001b17d3f9f

SHA1

• 20c97931c08538d4b3c7e5e8d46fb4acd0801e87
• a11333534db1a253d91fc2fe521929553bfbafc7
• 04ac4430395e4bb5c8e78e3c6a277f108da36124
• d7469da6a523239a9f2eee26d944aa9076c87bfa
• f43b74c10c880546cf03014e253026736f01d1f9
• c51d97e76b018918504533ffdc05b06bae420912
• f1acf90d5a42eba5b601ebe1b954be72d1c5b0b2

Remediation

• Block the threat indicators at their respective controls.
• Do not click on untrusted links found on public websites.
• Do not download files from untrusted sources or emails.
• Do not execute untrusted files accidentally downloaded from random sources on the internet.