Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Goopy

Goopy is a Windows backdoor and Trojan used by APT32 and shares several similarities to another backdoor used by the group (Denis). Goopy is named for its impersonation of the legitimate Google Updater executable.(Citation: Cybereason Cobalt Kitty 2017)

ID: S0477

Type: MALWARE

Platforms: Windows

Version: 1.1

Created: 19 Jun 2020

Last Modified: 11 Jul 2022

Domain	ID		Name	Use
Techniques Used
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Goopy has the ability to communicate with its C2 over HTTP.(Citation: Cybereason Cobalt Kitty 2017)
		.003	Application Layer Protocol: Mail Protocols	Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.(Citation: Cybereason Cobalt Kitty 2017)
		.004	Application Layer Protocol: DNS	Goopy has the ability to communicate with its C2 over DNS.(Citation: Cybereason Cobalt Kitty 2017)
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Goopy has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.(Citation: Cybereason Cobalt Kitty 2017)
		.005	Command and Scripting Interpreter: Visual Basic	Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.(Citation: Cybereason Cobalt Kitty 2017)
Enterprise	T1574	.002	Hijack Execution Flow: DLL Side-Loading	Goopy has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google.(Citation: Cybereason Cobalt Kitty 2017)
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	Goopy has the ability to disable Microsoft Outlook's security policies to disable macro warnings.(Citation: Cybereason Cobalt Kitty 2017)
Enterprise	T1070	.008	Indicator Removal: Clear Mailbox Data	Goopy has the ability to delete emails used for C2 once the content has been copied.(Citation: Cybereason Cobalt Kitty 2017)
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	Goopy has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.(Citation: Cybereason Cobalt Kitty 2017)
Enterprise	T1027	.001	Obfuscated Files or Information: Binary Padding	Goopy has had null characters padded in its malicious DLL payload.(Citation: Cybereason Cobalt Kitty 2017)
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Goopy has the ability to maintain persistence by creating scheduled tasks set to run every hour.(Citation: Cybereason Cobalt Kitty 2017)

ID	Name	References
Groups That Use This Software
G0050	APT32	(Citation: Cybereason Cobalt Kitty 2017)

References

Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Goopy

Techniques Used

Groups That Use This Software

References