Upcoming Webinar: DPDP Act and Cybersecurity Essentials for Indian Manufacturers - 23rd July

Register Today
gootloader-malware

Introduction: 

This report is going to go over the GootLoader malware in detail. It’s been wrecking havoc since 2020 and it’s time we put an end to it. In this threat bulletin, look at all its signature tactics, techniques, and procedures (TTPs). We’ll also be diving into the new ways it gets around. 

Upgrades and new threat vector: 

This thing doesn’t just stop at one trick, it keeps evolving. The first thing they did was change the initial Stager 1 component to make detection even harder. Now they’re throwing obfuscation and code shuffling into the mix to render open-source decoding tools useless. 

Preventive measures: 

To defend against the likes of GootLoader organizations should consider a multi-faceted approach. This includes URL analysis, using decoy files, analyzing client-server payload profiles, employing file hashing, searching file contents with pattern matching, setting system configuration permissions, monitoring process spawn analysis, and filtering network traffic. By doing this organizations can avoid falling victim to these threats. 

Indicators of compromise (IOCs): 

Stager 1 (ZIP): 

Hash:  

  • 568eeaab68afe15f420fcdc4ac5174dfae9cb1b56b365ddf0951dee35f916dff 

Stager 1 (JavaScript): 

Hash:  

  • 1bc77b013c83b5b075c3d3c403da330178477843fc2d8326d90e495a61fbb01f 

Stager 2 (Post May 2022): 

Hashes:   

  • 640d75d1f3ef23a65c5554b1e86281abbc14e62ee878fda119ce0be910526438 
  • e4f452c452695ef4dd61042d77ec9dfa6a803a3ef82878b66b0b08780350efa6      6c4bc6376afa8933e2556c688ec911642bcd86d44120cdd69240f0197fa08b9f 

Payload (Powershell.dll): 

Hashes:         

  • f1b33735dfd1007ce9174fdb0ba17bd4a36eee45fadcda49c71d7e86e3d4a434 
  • f9093510dda650e214fbf48060a645136053ab1525919ead95c63915be06931c         
  • abd2ce37c207b5d24fe39e56ca6688dda8ce63532400216a13e1735e49b03050 
  • 17a02009a19067b34651efe7a5c98ed1d7a110d794cc1ab1af8bd288207b0836         
  • 2fcd6a4fd1215facea1fe1a503953e79b7a1cedc4d4320e6ab12461eb45dde30       
  • b7c880252ed3ebf9a11fcdff5186008ee59785c17a68861511fe5116cbe2ab79 
  • 15645d983a3a31e1c3cfe651f2ce5613939f221b2ebeee2a1e2f1aa2ecf94c29         
  • 338fe8dc488962ca3a44c297cc457999be5ba61d4268e8289b8abd69893447e3 
  • 796c5fdd403ea0c247e062b0e206e03cbce62561c00bf0e28b7465125375a996         
  • 7c170097ded546d1bbd3d4550e26a4cb3e78629f37469b4c28a97a576be43c03 

Payload (Cobalt Strike Beacon): 

Hash:  

  • 0258da19a8fa78a824bd2b43f36ffbb61cb8f7571971a1360cc2933175f27b4a 

Registry key adds: 

  • SOFTWARE\Microsoft\Phone%Username% 
  • SOFTWARE\Microsoft\Phone%Username%0 

Conclusion : 

Gootloader represents a strong and developing threat that includes SEO poisoning and advanced malware deployment. Its ability to adapt and evade, this malware becomes a reason to set up proactive security. Organizations should be vigilant refine their SIEM rules, and deploy a variety of prevention methods to protect against Gootloader and similar threats. 

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.