Guntior - the story of an advanced bootkit that doesn't rely on Windows disk drivers

May 8, 2024, 5:29 p.m.

Description

Amid the rise of bootkits at the time, a dropper was captured in-the-wild and posted on a malware tracker. The malware was called "Guntior", named after the device object its authors had chosen for it (\Device\Guntior). The name also appears in AV detections.

External References

https://artemonsecurity.blogspot.com/
https://otx.alienvault.com/pulse/663b7ee697d3654bee3cbf0e
Tags
rootkit
windows
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
explorer
dll path
ntfs
payload dll
ime file
ioctl
ata bus
tdl4
rovnix
mebroot
tidserv
findwindow
mbr
guntior

Date

  • Created: May 8, 2024, 1:32 p.m.
  • Published: May 8, 2024, 1:32 p.m.
  • Modified: May 8, 2024, 5:29 p.m.

Indicators

  • eddbe87f2009cb3199def0845ccf01d0397c126aca6f55e2a9516616825cebb1
  • e49ad00deda88a198f2728a3d276f0b55f892d3088bc861538a005e443d81a92
  • b32cf71e325ceaa8982e6ebed33f95894f2591397e08404368fbaa6dce1095e3
  • 8eb365237e4cfe478b228d276598ff58c0b133fbcd374024b5903137cf196a3d
  • 4fdc39276228cab7ef1ef26a084e920760fdaacd78b29e776f09da0a95ae39b0
  • 183.60.132.220
Download all indicators here!

Attack Patterns

  • Guntior
  • T1561
  • T1014
  • T1574
  • T1547
  • T1543
  • T1055
  • T1140
  • T1056
  • T1562