Gootloader

Malware updated 23 days ago (2024-11-29T14:33:03.464Z)
Download STIX
Preview STIX
Gootloader is a potent malware, often used as an infostealer or deployed prior to ransomware attacks. It's known for its unique approach of Search Engine Optimization (SEO) poisoning, where victims are deceived into clicking on malicious links disguised as legitimate resources. A significant campaign was recently detected by Sophos X-Ops MDR, who reported a surge in this initial compromise technique over the past year. Despite available protection blocks, users are advised to follow best practices and remain vigilant against suspicious links or sources. This malware has been linked with various threat actors, including Storm-0494 and Vice Society, exploiting vulnerabilities in different sectors. Microsoft Threat Intelligence reported on September 18 that Vanilla Tempest receives handoffs from Gootloader infections by Storm-0494 before deploying tools such as the Supper backdoor, AnyDesk remote monitoring, and the MEGA data synchronization tool. In another instance, Vice Society gained initial access to victims previously infected with the Gootloader backdoor-loader, leveraging weaknesses in the healthcare sector. Despite efforts to curb its spread, Gootloader remains active and efficient. Its modus operandi includes looking for wscript.exe making external connections upon executing a JavaScript file, which could indicate GootLoader activity. One notable campaign targeted users searching "Are Bengal cats legal in Australia?" among other queries, demonstrating the malware's broad reach and adaptability. With ongoing threats like Gootloader, vigilance and adherence to cybersecurity best practices remain crucial.
Description last updated: 2024-11-21T10:27:37.990Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Exploit
Backdoor
Payload
Loader
Tool
Wordpress
Loader Malware
Windows
Bot
Lateral Move...
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cobaltstrike Malware is associated with Gootloader. CobaltStrike is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It can gain access via suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data for ransom. CobaltStrike has been observed in conjunctUnspecified
3
The REvil Malware is associated with Gootloader. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. ThUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Vanilla Tempest Threat Actor is associated with Gootloader. Vanilla Tempest, also known as Vice Society or DEV-0832, is a significant threat actor that has been increasingly active in the cybercrime landscape since 2022. This group primarily targets U.S. healthcare organizations and educational institutions, employing a variety of ransomware strains to execuUnspecified
2
Source Document References
Information about the Gootloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
a month ago
DARKReading
a month ago
BankInfoSecurity
3 months ago
Securityaffairs
3 months ago
DARKReading
3 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
CERT-EU
a year ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Unit42
6 months ago
Malware-traffic-analysis.net
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago