Red Canary Offers Detection Insights for Gootloader Malware

Category: Malware Campaign | Industry: Global | Source: Red Canary

Detection coverage against the Gootloader malware family is offered in Red Canary's threat emulation report. This JScript-based malware is frequently highlighted in Red Canary's monthly intelligence insight series, underlining its significance for organizations striving to defend against a threat that is frequently employed in SEO poisoning and known for its opportunistic targeting. Highlighting the infection scenario employed in these attacks, Red Canary noted that victims "were likely directed to these sites after initiating search queries in popular search engines with keywords such as “agreement,” “contract,” and the names of various financial institutions."

Behaviors Red Canary advises for detection analytics are based on JScript executions with wscript or cscript followed by various PowerShell executions. It is recommended to monitor for JScript executions from the AppData directory which serves as a common entry point for potential malware activity. Multiple PowerShell-based analytics are offered including monitoring a child process of PowerShell from wscript or cscript, encoded PowerShell commands, PowerShell invoking reflective code loading, running with attempts to bypass execution policy, and signs of PowerShell creating scheduled tasks for persistence.

The detection analytics offered by Red Canary are further supported through Atomic tests referenced throughout the report. Full utilization and coverage of Red Canary's detection insights can be leveraged from Anvilogic threat scenarios to identify signs of JScript execution followed by suspicious PowerShell executions.