Free Phone Consultation For New Clients | CONTACT NOW

Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike

Gootkit has been known to use fileless techniques to drop Cobalt Strike and other malicious payloads. Insights from a recent attack reveal updates in its tactics.

Gootkit is a family of malware that has been around since early 2017 and continues to be used by actors across the globe as an advanced persistent threat (APT). In particular, this group has focused on commercial entities, universities, defense contractors and journalists. These types of targets have been used in the past by other APTs such as Petya and NotPetya.

In most cases, the malware used by this group was delivered through phishing emails containing malicious Office documents.

Once deployed, Gootkit has the ability to download and execute multiple programs depending on the requirements of the target using built-in commands.

Recently, a new attack was discovered in which Gootkit delivered Cobalt Strike and other malicious files. The attackers also used a new command and control (C2) infrastructure as well as an updated version of Gootkit that uses fileless techniques.

The group’s main C2 domain was registered with the email “peterbennett10@gmail.com” and uses a dedicated IP address registered with the name “Peter Bennett” to host its malicious files. Also of note is that the attackers are using new and more complex command structures such as “hxxp://gootfile.in/HW8jvGhLFdgYYKEQQvgf4KD4YBAPCJbnw” when communicating with their malware and the attackers’ infrastructure.

Source: Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike - AlienVault - Open Threat Exchange

Need secure managed IT services in the Greenville, SC, area?