How Gootloader uses malformed ZIP archives to evade detection

Gootloader, a malware loader often used as initial access for ransomware attacks, uses an intentionally malformed ZIP archive in order to evade detection, Expel described in a report published Thursday.

Several anomalies are exhibited by the ZIP archive containing the JScript that kicks off Gootloader infection, causing several unarchiving tools, including 7zip and WinRAR, to fail to extract its contents. This prevents analysis via automated workflows that rely on such tools to access ZIP archive contents.  

However, the Windows default unarchiving tool is still able to consistently open these archives, ensuring the intended victims can extract the malicious JScript and execute it.

The first unusual aspect of the ZIP archives downloaded from Gootloader infrastructure is the fact that each archive is actually a series of 500 to 1,000 identical ZIP archives concatenated together into a single file.

The exact number of ZIP archives contained in the file is randomly determined at the time of download, making each file unique and resistant to hash-based detection. This also gives the file an unusually large size, into the dozens of MB despite the uncompressed size of the contained JScript being only 287 KB.

Related reading:

Another anomaly of the ZIP archive file is the omission of two bytes from the End of Central Directory section of the archive structure. Specifically, the “Comment Length” field is completely missing.

As unarchiving tools start reading ZIP archives from the End of Central Directory section and expect a specific number of bytes, this omission could cause an error and prevent the tools from locating the contained files.

Lastly, Expel noted that metadata contained in the local file header for the archives did not match data from the archive’s central directory in several fields, including version to extract, modification time, cyclic redundancy check (CRC32), compressed size, uncompressed size, file name length in bytes and file name.

This mismatch could also be a cause of errors while attempting to extract content from these ZIP files using unarchiving tools. Additionally, the values of some fields, including version to extract and modification time, appeared to be randomized, Expel said, another “hashbusting” tactic making each archive sample unique.

To help defenders detect ZIP archives characteristic of Gootloader, despite their resistance to hash-based detection, Expel created a YARA rule that looks for ZIP archives with more than 100 occurrences of the same local file header and more than 100 occurrences of the End of Central Directory.

Expel described additional detection opportunities based on Gootloader’s behavior after the JScript file is executed. For example, defenders could monitor for instances of wscript.exe executing a JScript file (.js) within the temp directory, where files are located after the user double clicks on a ZIP archive on Windows.

Additionally, Gootloader establishes persistence by creating a .LNK file in the Startup folder, which points to another .LNK placed in a random directory along with a second malicious JScript file. Therefore, defenders could monitor for the creation of .LNK files in the Startup folder that point to non-standard directories, Expel wrote.

When the second .LNK file executes the second JScript file, it is executed via CScript using an NTFS shortname, another unusual aspect that could be detected on. Lastly, upon execution, the CScript spawns a PowerShell process that spawns a second PowerShell process; this specific process tree is another potential detection opportunity for Gootloader.

As a prevention measure, Expel recommends using group policy objects (GPO) to change the default program to open JScript files with from wscript.exe (Windows Script Host) to Notepad. This will prevent the malicious script from being executed automatically upon a double click without completely preventing the use of JScript when needed for legitimate business purposes.