Free Phone Consultation For New Clients | CONTACT NOW

Gootloader Malware Leads to Cobalt Strike and Hand-on-Keyboard Activity

Researchers uncovered Gootloader malware using a new infection technique, which helped further insights into the threat actor(s) tools and next infection phase. Gootloader’s initial JavaScript payload was delivered using the same technique via a compromised WordPress website.

"The malware was linked to the Gootkit and Cobalt Strike frameworks,” writes Georgia Weidman and Chirag Bakshi of CrowdStrike in a report. “Gootloader had previously been identified as an espionage trojan in the wild, targeting organizations in South Korea. We observed the change in infection vector deliver a Cobalt Strike payload to affected hosts as well."

"We found that it also delivered one or more additional payloads that provided complete control over an infected host," they continue. "We also found that Gootloader is designed to allow it to download and execute processes on a compromised host, thus potentially increasing its ability to exfiltrate data. We found that it was able to perform a full scan of the malware-infected network via DNS lookup, with the ability to block other network traffic. Gootloader also appeared to be capable of performing a custom HTTP request in which geolocated commands were passed."

"Gootloader has been observed attacking at least two government organizations in South Korea and targeting users from at least two different countries," they add.

Source: Gootloader Malware Leads to Cobalt Strike and Hand-on-Keyboard Activity - AlienVault - Open Threat Exchange

Need secure managed IT for your business?