HP Threat Research Blog Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware

May 4, 2022 Category: Threat Research By: Patrick Schläpfer Comments: 0

Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware

The threat actors behind GootLoader are always making adjustments to this family of JavaScript malware, which affects indicator of compromise (IOC) extraction using our decoder script. Whenever the GootLoader decoder breaks we try to adapt it to the new version of the malware to help the security community. In this post, we share the process of debugging and fixing the script, showing the common steps we usually take.

First, we look at all extracts from the regular expressions (regex) because this is usually the reason why the decoder breaks. To do so, we add print statements before and after each regex evaluation starting from the bottom of the script. The following image shows our first check.