Hello,
Looking into what appears to be a GootLoader variant on my Win11 machine—obfuscated JS payload with PS persistence that's dodging Defender and Malwarebytes. I've handled initial cleanup, but seeking confirmation on remnants or IOCs, especially given its evasion tactics. Vector unclear, possibly from a banking cert tool download (CIC-related), but no direct tie.
Breakdown:
1. **Behavior & Indicators**:
- Boot-time flashes of cmd/PS windows, plus nodemon crashes (attached screenshot: InvalidCharacterError in atob during eval on Node v22.9.0). Crash likely from faulty string in obfuscation, possibly duplication artifact during persistence.
- ProcMon shows PS (e.g., PID 48232) chaining to cmd exe -> nodemon.cmd -> index.js in C:\Users\[Username]\AppData\Roaming\xlPIA\.
- index.js core: eval(atob(...)) base64 decode, then Node crypto AES-256-CBC (key: "jj28As8T9hj2EL120/aPqrV2bEHpwyYt", IV base64 "4Gfa2FFbAWouWa3b9YtM4A==") before eval. Fits loader pattern for recon/drops.
2. **Artifacts**:
- PS scripts in C:\Users\[Username]\AppData\Local\xlPIA\ (CItMSTGVU.ps1 & MlvpEtxVW.ps1):
- Console hiding via WinAPI (Kernel32/user32).
- Node proc management (kill/restart), Chrome .lnk mods adding "--remote-debugging-port=9222" for potential session hijack.
- Persistence: Startup .lnk ("Update.lnk") & sched task "reload node.js" (every 60 min, PS relaunch of index.js).
- Post-deletion, it recopied to another Roaming dir with new name—resilient recreation loop.
- Clean scans from Defender full/offline & MBAM, highlighting script/evasion focus.
3. **Cleanup**:
- Removed "reload node.js" task via Scheduler.
- Wiped xlPIA/node dirs from AppData\Local/Roaming (multiple rounds due to recreation).
- Stripped "--remote-debugging-port=9222" from Chrome shortcuts.
- Defender hardened: All ASR rules Blocked, real-time/cloud enabled, auto-samples on.
- PS exec set to Restricted machine-wide.
Could the PS crashes stem from env-specific issues (Node version mismatch), or indicate broader incompatibility making some systems less viable for this variant? Has data exfil (e.g., creds via Chrome port) likely occurred already? What's the best next step—Autoruns for hidden hooks, or VT submission for the JS? Can't upload full index.js/.ps1 due to perms—can share via VT/pastebin (w/ pw) or preferred method.
Appreciate the analysis—thanks.
Looking into what appears to be a GootLoader variant on my Win11 machine—obfuscated JS payload with PS persistence that's dodging Defender and Malwarebytes. I've handled initial cleanup, but seeking confirmation on remnants or IOCs, especially given its evasion tactics. Vector unclear, possibly from a banking cert tool download (CIC-related), but no direct tie.
Breakdown:
1. **Behavior & Indicators**:
- Boot-time flashes of cmd/PS windows, plus nodemon crashes (attached screenshot: InvalidCharacterError in atob during eval on Node v22.9.0). Crash likely from faulty string in obfuscation, possibly duplication artifact during persistence.
- ProcMon shows PS (e.g., PID 48232) chaining to cmd exe -> nodemon.cmd -> index.js in C:\Users\[Username]\AppData\Roaming\xlPIA\.
- index.js core: eval(atob(...)) base64 decode, then Node crypto AES-256-CBC (key: "jj28As8T9hj2EL120/aPqrV2bEHpwyYt", IV base64 "4Gfa2FFbAWouWa3b9YtM4A==") before eval. Fits loader pattern for recon/drops.
2. **Artifacts**:
- PS scripts in C:\Users\[Username]\AppData\Local\xlPIA\ (CItMSTGVU.ps1 & MlvpEtxVW.ps1):
- Console hiding via WinAPI (Kernel32/user32).
- Node proc management (kill/restart), Chrome .lnk mods adding "--remote-debugging-port=9222" for potential session hijack.
- Persistence: Startup .lnk ("Update.lnk") & sched task "reload node.js" (every 60 min, PS relaunch of index.js).
- Post-deletion, it recopied to another Roaming dir with new name—resilient recreation loop.
- Clean scans from Defender full/offline & MBAM, highlighting script/evasion focus.
3. **Cleanup**:
- Removed "reload node.js" task via Scheduler.
- Wiped xlPIA/node dirs from AppData\Local/Roaming (multiple rounds due to recreation).
- Stripped "--remote-debugging-port=9222" from Chrome shortcuts.
- Defender hardened: All ASR rules Blocked, real-time/cloud enabled, auto-samples on.
- PS exec set to Restricted machine-wide.
Could the PS crashes stem from env-specific issues (Node version mismatch), or indicate broader incompatibility making some systems less viable for this variant? Has data exfil (e.g., creds via Chrome port) likely occurred already? What's the best next step—Autoruns for hidden hooks, or VT submission for the JS? Can't upload full index.js/.ps1 due to perms—can share via VT/pastebin (w/ pw) or preferred method.
Appreciate the analysis—thanks.
Last edited:
