2022-05-24

Gootloader Infection

Level: 
Tactical
  |  Source: 
Red Canary
Share:

Gootloader Infection

Industry: N/A | Level: Tactical | Source: Red Canary

Red Canary has provided details of malware Gootloader, which is being tracked separately from Gootkit malware. An infection chain is offered by Red Canary as the malware is often reported in the security firm’s monthly intelligence insights and 2021 Threat Detection report, indicating the malware’s popularity amongst cybercriminals. The malware has been distributed most frequently from attackers leveraging compromised WordPress sites to populate common keywords for SEO poisoning tactics. The attack lures victims to download a ZIP file and often uses "agreement” in the zip file’s name. The zip file houses a malicious JavaScript triggering wscript.exe when executed and initiates a system check for Active Directory, launching a query for the USERDNSDOMAIN environment variable. The check reveals the malware’s goal of targeting business or enterprise-level victims. If the check is successful the malware proceeds to the second phase in downloading DLL payloads, and creates persistence in the registry as well as with a scheduled task using PowerShell. Infection wraps up with the execution of PowerShell commands setup for payloads such as a Cobalt Strike Beacon to initiate attacker objectives.

Anvilogic Scenario:

  • Gootloader - Wscript, Registry Modification, PS & CS

Anvilogic Use Cases:

  • Compressed File Execution
  • Wscript/Cscript Execution
  • Executable Process from Suspicious Folder
  • Suspicious Registry Key Created
  • New AutoRun Registry Key
  • Modify Registry Key
  • Create/Modify Schtasks
  • Suspicious File written to Disk
  • Encoded Powershell Command
  • Suspicious Executable by Powershell
  • Rundll32 Command Line

Get trending threats published weekly by the Anvilogic team.

Sign Up Now