This report is going to go over the GootLoader malware in detail. It’s been wrecking havoc since 2020 and it’s time we put an end to it. In this threat bulletin, look at all its signature tactics, techniques, and procedures (TTPs). We’ll also be diving into the new ways it gets around.
Upgrades and new threat vector:
This thing doesn’t just stop at one trick, it keeps evolving. The first thing they did was change the initial Stager 1 component to make detection even harder. Now they’re throwing obfuscation and code shuffling into the mix to render open-source decoding tools useless.
To defend against the likes of GootLoader organizations should consider a multi-faceted approach. This includes URL analysis, using decoy files, analyzing client-server payload profiles, employing file hashing, searching file contents with pattern matching, setting system configuration permissions, monitoring process spawn analysis, and filtering network traffic. By doing this organizations can avoid falling victim to these threats.
Indicators of compromise (IOCs):
Stager 1 (ZIP):
Stager 2 (Post May 2022):
- e4f452c452695ef4dd61042d77ec9dfa6a803a3ef82878b66b0b08780350efa6 6c4bc6376afa8933e2556c688ec911642bcd86d44120cdd69240f0197fa08b9f
Payload (Cobalt Strike Beacon):
Registry key adds:
Gootloader represents a strong and developing threat that includes SEO poisoning and advanced malware deployment. Its ability to adapt and evade, this malware becomes a reason to set up proactive security. Organizations should be vigilant refine their SIEM rules, and deploy a variety of prevention methods to protect against Gootloader and similar threats.