Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Gootloader

Gootloader is a Javascript-based infection framework that has been used since at least 2020 as a delivery method for the Gootkit banking trojan, Cobalt Strike, REvil, and others. Gootloader operates on an "Initial Access as a Service" model and has leveraged SEO Poisoning to provide access to entities in multiple sectors worldwide including financial, military, automotive, pharmaceutical, and energy.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)

ID: S1138

Type: MALWARE

Platforms: Windows

Created: 28 May 2024

Last Modified: 19 Jun 2024

Domain	ID		Name	Use
Techniques Used
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Gootloader can create an autorun entry for a PowerShell script to run at reboot.(Citation: Sophos Gootloader)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Gootloader can use an encoded PowerShell stager to write to the Registry for persistence.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)
		.007	Command and Scripting Interpreter: JavaScript	Gootloader can execute a Javascript file for initial infection.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)
Enterprise	T1584	.001	Compromise Infrastructure: Domains	Gootloader has used compromised legitimate domains to as a delivery network for malicious payloads.(Citation: SentinelOne Gootloader June 2021)
		.006	Compromise Infrastructure: Web Services	Gootloader can insert malicious scripts to compromise vulnerable content management systems (CMS).(Citation: SentinelOne Gootloader June 2021)
Enterprise	T1132	.001	Data Encoding: Standard Encoding	Gootloader can retrieve a Base64 encoded stager from C2.(Citation: SentinelOne Gootloader June 2021)
Enterprise	T1069	.002	Permission Groups Discovery: Domain Groups	Gootloader can determine if a targeted system is part of an Active Directory domain by expanding the %USERDNSDOMAIN% environment variable.(Citation: SentinelOne Gootloader June 2021)
Enterprise	T1055	.002	Process Injection: Portable Executable Injection	Gootloader can use its own PE loader to execute payloads in memory.(Citation: Sophos Gootloader)
		.012	Process Injection: Process Hollowing	Gootloader can inject its Delphi executable into ImagingDevices.exe using a process hollowing technique.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)
Enterprise	T1614	.001	System Location Discovery: System Language Discovery	Gootloader can determine if a victim's computer is running an operating system with specific language preferences.(Citation: Sophos Gootloader)
Enterprise	T1204	.001	User Execution: Malicious Link	Gootloader has been executed through malicious links presented to users as internet search results.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)
Enterprise	T1497	.003	Virtualization/Sandbox Evasion: Time Based Evasion	Gootloader can designate a sleep period of more than 22 seconds between stages of infection.(Citation: Sophos Gootloader)

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Gootloader

Techniques Used

References