Gootloader Inside Out

Jan. 17, 2025, 5:53 p.m.

Description

The report details an analysis of the Gootloader malware family, which uses malicious SEO tactics to infect computers. It explains how Gootloader compromises legitimate WordPress sites, manipulates search results, and presents visitors with a fake online forum to distribute malware. The analysis reconstructs Gootloader's server-side operations using open-source intelligence, revealing the intricate processes behind its infection chain. Key components discussed include the landing page code, the 'mothership' server orchestrating attacks, and techniques used to evade detection. The report provides insights into Gootloader's persistence and effectiveness despite its well-understood mechanisms.

External References

https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/
https://otx.alienvault.com/pulse/678a94934bbe1df5bdf0a9cd
Tags
2025-01-17
malicious seo
wordpress compromise
jscript payload
php shell
fake forum

Date

  • Created: Jan. 17, 2025, 5:34 p.m.
  • Published: Jan. 17, 2025, 5:34 p.m.
  • Modified: Jan. 17, 2025, 5:53 p.m.

Indicators

  • 0874d307fc45886d2751cd9e6816513dc3e1604e514ef1b291bbe7b1a887cd96
  • 89672c08916dd38d9d4b7f5bbf7f39f919adcaebc7f8bb1ed053cb701005499a
  • af50c735173326b2af2e2d2b4717590e813c67a65ba664104880dc5d6a58a029
  • 7bcffa722687055359c600e7a9abf5d57c9758dccf65b288ba2e6f174b43ac57
  • 5d50a7cf15561f35ed54a2e442c3dfdac1d660dc18375f7e4105f50eec443f27
  • 258cb1d60a000e8e0bb6dc751b3dc14152628d9dd96454a3137d124a132a4e69
  • 03a46ad7873ddb6663377282640d45e38697e0fdc1512692bcaee3cbba1aa016
  • 1fcc418bdd7d2d40e7f70b9d636735ab760e1044bb76f8c2232bd189e2fd8be7
  • 91.215.85.52
  • 5.8.18.159
  • 5.8.18.7
  • my-game.biz
Download all indicators here!

Attack Patterns

  • Gootloader
  • Gootloader
  • T1102.002
  • T1185
  • T1059.007
  • T1140
  • T1027
  • T1078