Back

Guntior - the story of an advanced bootkit that doesn't rely on Windows disk drivers

May 8, 2024, 5:29 p.m.

Tags

rootkit
windows
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
explorer
dll path
ntfs
payload dll
ime file
ioctl
ata bus
tdl4
rovnix
mebroot
tidserv
findwindow
mbr
guntior

External References

https://artemonsecurity.blogspot.com/

https://otx.alienvault.com/

Description

Amid the rise of bootkits at the time, a dropper was captured in-the-wild and posted on a malware tracker. The malware was called "Guntior", named after the device object its authors had chosen for it (\Device\Guntior). The name also appears in AV detections.

Date

Published Created Modified
May 8, 2024, 1:32 p.m. May 8, 2024, 1:32 p.m. May 8, 2024, 5:29 p.m.

Indicators

eddbe87f2009cb3199def0845ccf01d0397c126aca6f55e2a9516616825cebb1

e49ad00deda88a198f2728a3d276f0b55f892d3088bc861538a005e443d81a92

b32cf71e325ceaa8982e6ebed33f95894f2591397e08404368fbaa6dce1095e3

8eb365237e4cfe478b228d276598ff58c0b133fbcd374024b5903137cf196a3d

4fdc39276228cab7ef1ef26a084e920760fdaacd78b29e776f09da0a95ae39b0

183.60.132.220

Attack Patterns

Guntior

T1561

T1014

T1574

T1547

T1543

T1055

T1140

T1056

T1562