Advisory Type |
Malware Intelligence |
Malware Type |
Loader |
Malware Name |
Gootloader |
Target OS |
Windows |
Targeted Countries |
North America, South Korea, Germany, France |
Gootloader is a Javascript-based infection framework that has a new mechanism of delivering its payload. The operators of this malware have compromised over 400 servers that host legitimate websites; they edit the content of the compromised websites to start seemingly legitimate discussions with the help of key words that answer users’ queries.
Gootloader operators leverage SEO (Search Engine Optimization) techniques that allow Google to index the compromised websites to help them appear as part of its search results. The attack vector works for certain countries and for certain search engines (such as Google). And in case the search didn’t match the criteria of the loader, the search result will be legitimate webpages. The Gootlaoder malware delivers fileless GootKit RAT, REvil ransomware, CobaltStrike, and Kronos Trojan.
Tactics |
Techniques |
|
Reconnaissance |
T1590.005 | Gather Victim Network Information: IP Addresses |
Resource Development |
T1584.004 | Compromise Infrastructure: Server |
Execution |
T1059.007 | Command and Scripting Interpreter: JavaScript/JScript |
T1059.001 | Command and Scripting Interpreter: PowerShell | |
T1204.002 | User Execution: Malicious File | |
Persistence |
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Defence Evasion |
T1140 | Deobfuscate/Decode Files or Information |
T1112 | Modify Registry | |
T1055.012 | Process Injection: Process Hollowing |
SHA1 |
8731316018d005690046909f86b10a2130cfe75c |
04ac4430395e4bb5c8e78e3c6a277f108da36124 | |
d7469da6a523239a9f2eee26d944aa9076c87bfa | |
f43b74c10c880546cf03014e253026736f01d1f9 | |
2bc5babb780ffdd38f2ee61583ed2d036fd499d7 | |
7fde4507b2430e37c7dc9a1df8904371bc1bf9b2 | |
f2ddf525f9bf9e583cb6e2694e5abfac483660b2 | |
098b332b7a4f8712916d6a681799e390daaaef98 | |
9771dc299da3aafd578a3182c63530315aff5726 | |
dd98b9fce29bb291f37ef7ccf745ad3cdf5880b8 | |
effb1d6d2a254c428fd3b726e5d10ba9c77a3ae6 | |
f6525c66ab292d394ff7ec3da9beca8c45919788 | |
02efc02a97e2223a85deea842eacebe9eb86aa0f | |
c51d97e76b018918504533ffdc05b06bae420912 | |
f1acf90d5a42eba5b601ebe1b954be72d1c5b0b2 |