Gootloader

Malware updated 7 hours ago (2024-11-21T10:31:37.856Z)

Download STIX

Preview STIX

Gootloader is a potent malware, often used as an infostealer or deployed prior to ransomware attacks. It's known for its unique approach of Search Engine Optimization (SEO) poisoning, where victims are deceived into clicking on malicious links disguised as legitimate resources. A significant campaign was recently detected by Sophos X-Ops MDR, who reported a surge in this initial compromise technique over the past year. Despite available protection blocks, users are advised to follow best practices and remain vigilant against suspicious links or sources. This malware has been linked with various threat actors, including Storm-0494 and Vice Society, exploiting vulnerabilities in different sectors. Microsoft Threat Intelligence reported on September 18 that Vanilla Tempest receives handoffs from Gootloader infections by Storm-0494 before deploying tools such as the Supper backdoor, AnyDesk remote monitoring, and the MEGA data synchronization tool. In another instance, Vice Society gained initial access to victims previously infected with the Gootloader backdoor-loader, leveraging weaknesses in the healthcare sector. Despite efforts to curb its spread, Gootloader remains active and efficient. Its modus operandi includes looking for wscript.exe making external connections upon executing a JavaScript file, which could indicate GootLoader activity. One notable campaign targeted users searching "Are Bengal cats legal in Australia?" among other queries, demonstrating the malware's broad reach and adaptability. With ongoing threats like Gootloader, vigilance and adherence to cybersecurity best practices remain crucial.

Description last updated: 2024-11-21T10:27:37.990Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Ransomware

Exploit

Backdoor

Payload

Loader

Tool

Wordpress

Loader Malware

Windows

Bot

Lateral Move...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Cobaltstrike Malware is associated with Gootloader. CobaltStrike is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It can gain access via suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data for ransom. CobaltStrike has been observed in conjunct	Unspecified	3
The REvil Malware is associated with Gootloader. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. Th	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Vanilla Tempest Threat Actor is associated with Gootloader. Vanilla Tempest, also known as Vice Society or DEV-0832, is a significant threat actor that has been increasingly active in the cybercrime landscape since 2022. This group primarily targets U.S. healthcare organizations and educational institutions, employing a variety of ransomware strains to execu	Unspecified	2

Source Document References

Information about the Gootloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	9 hours ago	Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware
DARKReading	10 days ago	GootLoader Cyberattackers Target Bengal Cat Fans in Oz
BankInfoSecurity	2 months ago	'Vanilla Tempest' Now Using INC Ransomware in Health Sector
Securityaffairs	2 months ago	The Vanilla Tempest cybercrime gang used INC ransomware for the first time in attacks on the healthcare sector
DARKReading	2 months ago	Vice Society Uses Inc Ransomware in Healthcare Attack
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
CERT-EU	a year ago	Q2 2023 Ransomware Report: Victim Count Hits New Heights - ReliaQuest
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	4 months ago	Security Affairs newsletter Round 479 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	4 months ago	GootLoader is still active and efficient
Unit42	5 months ago	Dissecting GootLoader With Node.js
Malware-traffic-analysis.net	a year ago	Malware-Traffic-Analysis.net - 2023-12-29 - GootLoader infection
CERT-EU	a year ago	How to protect your organization against SEO poisoning and malvertising
CERT-EU	a year ago	New Gootloader Malware Abuses RDP to Spread Rapidly
CERT-EU	a year ago	IBM: New Gootloader Variant Moves Laterally and Is Harder to Detect
InfoSecurity-magazine	a year ago	GootBot Implant Heightens Risk of Post-Infection Ransomware