Gootloader walkthrough

May 24, 2024, 8:55 a.m.

Description

The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resource. This initial payload creates persistence via scheduled tasks, leading to further PowerShell execution and attempts to connect to malicious command and control servers, enabling data exfiltration and other nefarious actions.

External References

https://www.threatdown.com/blog/gootloader-05-23-2024
https://otx.alienvault.com/pulse/66504fdebe87be0bf111f748
Tags
social engineering
powershell
seo poisoning
javascript
2024-05-24
gootloader

Date

  • Created: May 24, 2024, 8:29 a.m.
  • Published: May 24, 2024, 8:29 a.m.
  • Modified: May 24, 2024, 8:55 a.m.

Indicators

  • f8f3fa45eced0c32fbbf912f3f8ba6100a8b59e14f12a125c88340a47cf7e57b
  • a92381a403a1463b64ebc547de7ec2a4225a7755d23c4e56503582b9cb33c3c8
  • 2efabb155d9d8fc56b5eb3dfdc83b3f3f9099a7c0bc87ff8f9b7550d587d5b35
  • http://clintkustoms.com/manual.php
  • virdo.ir
  • shoreditchtownhall.com
  • sachverstaendiger-fenster.net
  • pureapks.xyz
  • montebello6.se
  • clintkustoms.com
  • budgetvm.com
  • ashleyhomeonline.com
Download all indicators here!

Attack Patterns

  • Gootloader
  • T1053.005
  • T1059.005
  • T1059.003
  • T1059.001
  • T1059.007
  • T1059.004
  • T1547
  • T1059