← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Gootloader walkthrough
WHITE AlienVault 2024-05-24 Modified: 2024-05-24
12
IOCs
MEDIUM VOLUME
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resource. This initial payload creates persistence via scheduled tasks, leading to further PowerShell execution and attempts to connect to malicious command and control servers, enabling data exfiltration and other nefarious actions.
seo poisoningsocial engineeringjavascriptgootloaderpowershell
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Gootloader
Indicators of Compromise (12)
All FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 2efabb155d9d8fc56b5eb3dfdc83b3f3f9099a7c0bc87ff8f9b7550d587d5b35 2024-05-24
FileHash-SHA256 a92381a403a1463b64ebc547de7ec2a4225a7755d23c4e56503582b9cb33c3c8 2024-05-24
FileHash-SHA256 f8f3fa45eced0c32fbbf912f3f8ba6100a8b59e14f12a125c88340a47cf7e57b 2024-05-24
URL http://clintkustoms.com/manual.php 2024-05-24
domain ashleyhomeonline.com 2024-05-24
domain budgetvm.com 2024-05-24
domain clintkustoms.com 2024-05-24
domain montebello6.se 2024-05-24
domain pureapks.xyz 2024-05-24
domain sachverstaendiger-fenster.net 2024-05-24
domain shoreditchtownhall.com 2024-05-24
domain virdo.ir 2024-05-24
References (1)
↗ https://www.threatdown.com/blog/gootloader-05-23-2024