Gootloader walkthrough

May 24, 2024, 8:55 a.m.

Tags
social engineering
powershell
seo poisoning
javascript
2024-05-24
gootloader
External References
Description

The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resource. This initial payload creates persistence via scheduled tasks, leading to further PowerShell execution and attempts to connect to malicious command and control servers, enabling data exfiltration and other nefarious actions.

Date

Published: May 24, 2024, 8:29 a.m.

Created: May 24, 2024, 8:29 a.m.

Modified: May 24, 2024, 8:55 a.m.

Indicators

f8f3fa45eced0c32fbbf912f3f8ba6100a8b59e14f12a125c88340a47cf7e57b

a92381a403a1463b64ebc547de7ec2a4225a7755d23c4e56503582b9cb33c3c8

2efabb155d9d8fc56b5eb3dfdc83b3f3f9099a7c0bc87ff8f9b7550d587d5b35

http://clintkustoms.com/manual.php

virdo.ir

shoreditchtownhall.com

sachverstaendiger-fenster.net

pureapks.xyz

montebello6.se

clintkustoms.com

budgetvm.com

ashleyhomeonline.com

Download all indicators here!

Attack Patterns

Gootloader

T1053.005

T1059.005

T1059.003

T1059.001

T1059.007

T1059.004

T1547

T1059