#gootloader — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #gootloader, aggregated by home.social.
-
Gootloader - ein JavaScript‑basierter Malware‑Loader - ist mit neuen "Tricks" wieder zurück, berichtet https://gootloader.wordpress.com/2025/11/05/gootloader-is-back-back-again/
Gootloader werde über kompromittierte oder vom Angreifer kontrollierte Websites verbreitet verleite Benutzer:innen dazu, Malware - gern als Ransomware - verseuchte Dokumente herunterzuladen.Die Websites werden in Suchmaschinen entweder über Anzeigen oder über Suchmaschinenoptimierung (SEO‑Poisoning) beworben, wodurch sie für bestimmte Schlüsselwörter wie „rechtliche Dokumente“ und „Verträge“ höher im Ergebnis erscheinen.
Also: Vorsicht mit Websites, die rechtliche Dokumente zum Download anbieten.#infosec #infosecnews #gootloader #malware #Ransomware #BeDiS
-
Gootloader is back with a vengeance—this time featuring the stealthy GootBot that spreads through networks and ups its SEO poisoning game. With targets from legal to healthcare, are we ready for its next-gen tactics?
#gootloader
#malwaretrends
#cybersecurity2024
#threatintelligence
#infosec
#gootbot
#seoattacks
#healthcaresecurity
#ransomware -
Gootloader’s back—and it’s smarter. The new GootBot variant is evading defenses and targeting industries like healthcare. Are we ready for what’s next?
#gootloader
#malwaretrends
#cybersecurity2024
#threatintelligence
#infosec
#gootbot
#seoattacks
#healthcaresecurity
#ransomware -
Gootloader is back with a vengeance—this time featuring the stealthy GootBot that spreads through networks and ups its SEO poisoning game. With targets from legal to healthcare, are we ready for its next-gen tactics?
#gootloader
#malwaretrends
#cybersecurity2024
#threatintelligence
#infosec
#gootbot
#seoattacks
#healthcaresecurity
#ransomware -
Gootloader’s back—and it’s smarter. The new GootBot variant is evading defenses and targeting industries like healthcare. Are we ready for what’s next?
#gootloader
#malwaretrends
#cybersecurity2024
#threatintelligence
#infosec
#gootbot
#seoattacks
#healthcaresecurity
#ransomware -
Gootloader’s back—and it’s smarter. The new GootBot variant is evading defenses and targeting industries like healthcare. Are we ready for what’s next?
#gootloader
#malwaretrends
#cybersecurity2024
#threatintelligence
#infosec
#gootbot
#seoattacks
#healthcaresecurity
#ransomware -
Gootloader is back with a vengeance—this time featuring the stealthy GootBot that spreads through networks and ups its SEO poisoning game. With targets from legal to healthcare, are we ready for its next-gen tactics?
#gootloader
#malwaretrends
#cybersecurity2024
#threatintelligence
#infosec
#gootbot
#seoattacks
#healthcaresecurity
#ransomware -
Gootloader’s back—and it’s smarter. The new GootBot variant is evading defenses and targeting industries like healthcare. Are we ready for what’s next?
#gootloader
#malwaretrends
#cybersecurity2024
#threatintelligence
#infosec
#gootbot
#seoattacks
#healthcaresecurity
#ransomware -
Gootloader is back with a vengeance—this time featuring the stealthy GootBot that spreads through networks and ups its SEO poisoning game. With targets from legal to healthcare, are we ready for its next-gen tactics?
#gootloader
#malwaretrends
#cybersecurity2024
#threatintelligence
#infosec
#gootbot
#seoattacks
#healthcaresecurity
#ransomware -
Gootloader Malware Resurfaces in Google Ads for Legal Docs – Source: www.darkreading.com https://ciso2ciso.com/gootloader-malware-resurfaces-in-google-ads-for-legal-docs-source-www-darkreading-com/ #rssfeedpostgeneratorecho #DarkReadingSecurity #CyberSecurityNews #DARKReading #Gootloader
-
Gootloader Returns: Malware Hidden in Google Ads for Legal Documents
#GootLoader
https://gootloader.wordpress.com/2025/03/31/gootloader-returns-malware-hidden-in-google-ads-for-legal-documents/ -
Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab
https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/
#InterisleConsultingGroup #Ne'er-Do-WellNews #ALittleSunshine #TheComingStorm #KasperskyLab #ProsperoOOO #ZachEdwards #Ransomware #GootLoader #Securehost #SilentPush #SocGholish #Intrinsec #AlfaBank #BEARHOST #spamhaus #Kentik
-
Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab
https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/
#InterisleConsultingGroup #Ne'er-Do-WellNews #ALittleSunshine #TheComingStorm #KasperskyLab #ProsperoOOO #ZachEdwards #Ransomware #GootLoader #Securehost #SilentPush #SocGholish #Intrinsec #AlfaBank #BEARHOST #spamhaus #Kentik
-
Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab
https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/
#InterisleConsultingGroup #Ne'er-Do-WellNews #ALittleSunshine #TheComingStorm #KasperskyLab #ProsperoOOO #ZachEdwards #Ransomware #GootLoader #Securehost #SilentPush #SocGholish #Intrinsec #AlfaBank #BEARHOST #spamhaus #Kentik
-
Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab
https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/
#InterisleConsultingGroup #Ne'er-Do-WellNews #ALittleSunshine #TheComingStorm #KasperskyLab #ProsperoOOO #ZachEdwards #Ransomware #GootLoader #Securehost #SilentPush #SocGholish #Intrinsec #AlfaBank #BEARHOST #spamhaus #Kentik
-
Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab
https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/
#InterisleConsultingGroup #Ne'er-Do-WellNews #ALittleSunshine #TheComingStorm #KasperskyLab #ProsperoOOO #ZachEdwards #Ransomware #GootLoader #Securehost #SilentPush #SocGholish #Intrinsec #AlfaBank #BEARHOST #spamhaus #Kentik
-
Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/ #InterisleConsultingGroup #Ne'er-Do-WellNews #ALittleSunshine #TheComingStorm #KasperskyLab #ProsperoOOO #ZachEdwards #Ransomware #GootLoader #Securehost #SilentPush #SocGholish #Intrinsec #AlfaBank #BEARHOST #spamhaus #Kentik
-
Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/ #InterisleConsultingGroup #Ne'er-Do-WellNews #ALittleSunshine #TheComingStorm #KasperskyLab #ProsperoOOO #ZachEdwards #Ransomware #GootLoader #Securehost #SilentPush #SocGholish #Intrinsec #AlfaBank #BEARHOST #spamhaus #Kentik
-
Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/ #InterisleConsultingGroup #Ne'er-Do-WellNews #ALittleSunshine #TheComingStorm #KasperskyLab #ProsperoOOO #ZachEdwards #Ransomware #GootLoader #Securehost #SilentPush #SocGholish #Intrinsec #AlfaBank #BEARHOST #spamhaus #Kentik
-
Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/ #InterisleConsultingGroup #Ne'er-Do-WellNews #ALittleSunshine #TheComingStorm #KasperskyLab #ProsperoOOO #ZachEdwards #Ransomware #GootLoader #Securehost #SilentPush #SocGholish #Intrinsec #AlfaBank #BEARHOST #spamhaus #Kentik
-
Gootloader inside out – Source: news.sophos.com https://ciso2ciso.com/gootloader-inside-out-source-news-sophos-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #ThreatResearch #nakedsecurity #nakedsecurity #maliciousSEO #Obfuscation #obfuscation #Gootloader #HelloDolly #WordPress #Wordpress #FEATURED #PHPshell #featured #Gootkit #JScript #Malware #YARA #PHP #seo #SEO
-
Gootloader inside out – Source: news.sophos.com https://ciso2ciso.com/gootloader-inside-out-source-news-sophos-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #ThreatResearch #nakedsecurity #nakedsecurity #maliciousSEO #Obfuscation #obfuscation #Gootloader #HelloDolly #WordPress #Wordpress #FEATURED #PHPshell #featured #Gootkit #JScript #Malware #YARA #PHP #seo #SEO
-
Gootloader inside out – Source: news.sophos.com https://ciso2ciso.com/gootloader-inside-out-source-news-sophos-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #ThreatResearch #nakedsecurity #nakedsecurity #maliciousSEO #Obfuscation #obfuscation #Gootloader #HelloDolly #WordPress #Wordpress #FEATURED #PHPshell #featured #Gootkit #JScript #Malware #YARA #PHP #seo #SEO
-
I've been waiting for this writeup for a long time. Great dive on #Gootloader: https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/
Of particular note is the 24-hour timeout for any IP that receives a Gootloader download prompt, frustrating research attempts. But the whole research process here is excellent.
-
We don't want to tell the entire story here, but the bottom line is this: #Gootloader is and remains one of the most convoluted #malware attack methods we've seen. Its social engineering ruse and the way it shapes itself to your desires still convince people to click its bad links.
Gootloader has been playing the long game, and winning, below most people's radar, for years. It shows no sign of slowing down or changing its methods. After all, it's a working formula.
/end
https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/
-
CW: re: Long thread
When a site visitor follows one of the maliciously SEOed search terms (only on the first visit), the WordPress page redraws the #Gootloader content over the WordPress stuff that should appear there.
It retrieves the redrawn content by connecting to what we've called "the mothership" - a server hosted elsewhere that, in moments, delivers a bogus webpage with a dynamically-generated fictional Q&A.
It is a very convincing social engineering trick.
7/
-
CW: re: Long thread
It also turns out that #Gootloader's operators have injected remote shells into a very common WordPress page that exists in most self-hosted WordPress installations. The HelloDolly.php file serves no purpose other than to insert random quotes from the eponymous song into backend admin pages.
It exists as a prototype of the ways WordPress can insert dynamically-generated content into a page, but it has been modified on some of the #Gootloader sites to contain a backdoor that gives them a backup method to execute commands on the server hosting the WordPress instance.
6/
-
CW: re: Long thread
This research uncovered the fact that #Gootloader's operators dynamically add those IP address ranges to a block list stored inside the WordPress database, itself.
5/
-
CW: re: Long thread
One way the #Gootloader operators conceal themselves in plain sight from the website's owner is by carefully controlling exactly how victims end up in their trap.
You can't get there by visiting the site URL; The request must contain a Referer header that shows you clicked a Google result.
And even if you stumble into their trap, if you try to do it a second time, #Gootloader will lock out not just your IP address, but the entire IP address range where you connect from, just for good measure.
4/
-
CW: re: Long thread
Nobody knows exactly how the #Gootloader operators are finding and taking control over personal and business websites that use WordPress, but it's likely due to an earlier compromise of the site's administrator credentials, through #malware or #phishing. Stolen credentials for WordPress sites are a dime a dozen on the criminal underground.
The insidious nature of Gootloader means even the site's owners, who still have working admin passwords, cannot readily determine that the site is being misused for evil.
3/
-
Hi everyone, it's @threatresearch driving the X-Ops social media today to let you know about a story we just published, written by my colleague Gabor Szappanos.
Szapi has done significant research in the past into a #malware family called #Gootloader that (for years, now) uses malicious #SEO techniques to promote compromised websites into Google search results.
This research finally cracks wide open the mystery of how they manage to do that so effectively. It's a long read, but well worth the deep dive.
https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/
1/
-
New GootLoader Campaign Targets Users Searching for Bengal Cat Laws in Australia – Source:thehackernews.com https://ciso2ciso.com/new-gootloader-campaign-targets-users-searching-for-bengal-cat-laws-in-australia-sourcethehackernews-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #TheHackerNews #Gootloader
-
Are You Googling This? You Could Be Walking Into a Cyber Trap https://thecyberexpress.com/seo-poisoning-australia/ #AreBengalCatslegalinAustralia #SEOPoisoningAttacks #TheCyberExpressNews #TheCyberExpress #FirewallDaily #MarketReports #GoogleSearch #SEOpoisoning #MalwareNews #HackerNews #GootLoader #CyberNews #Australia #Sophos
-
"Gootloader’s Pivot from SEO Poisoning: PDF Converters Become the New Infection Vector"👀
⬇️
"Visiting this WordPress site (surprise!), I found a form for uploading a PDF to convert it to a .DOCX file inside a .zip. But after passing certain checks—being from an English-speaking country and not having visited in the past 24 hours on the same class C subnet—users instead receive a .JS file inside the .zip rather than a genuine .DOCX."
👇
https://gootloader.wordpress.com/2024/11/07/gootloaders-pivot-from-seo-poisoning-pdf-converters-become-the-new-infection-vector/ -
CapLoader wasn’t designed as an alternative to a traditional NIDS, but the Alerts tab often gives a VERY good overview of the malicious traffic. Here’s a screenshot of CapLoader’s alerts for some recent PCAP files from malware-traffic-analysis.net.
#Lumma #GootLoader #AgentTesla #RURAT #Remcos #RedLine #BackConnect
-
GootLoader Malware Evades Detection Through Complicated Loops and Time-Based Delays https://thecyberexpress.com/gootloader-malware-evades-time-based-delays/ #TheCyberExpressNews #GootLoaderMalware #PaltoAltoNetworks #TheCyberExpress #FirewallDaily #GootLoader
-
SEO Poisoning to Domain Control: The Gootloader Saga Continues
In February 2023, a user downloaded and executed a file from a SEO-poisoned search result, leading to a Gootloader infection. Around nine hours later, Gootloader facilitated Cobalt Strike deployment into the registry and memory. The threat actor used SystemBC to tunnel RDP access, compromising domain controllers, backup servers, and other key servers. The threat actor interactively reviewed sensitive files via RDP, but no data exfiltration was confirmed.
Pulse ID: 65dc5f0cd3b2b09478de2ba2
Pulse Link: https://otx.alienvault.com/pulse/65dc5f0cd3b2b09478de2ba2
Pulse Author: AlienVault
Created: 2024-02-26 09:51:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#OTX #OpenThreatExchange #InfoSec #bot #CyberSecurity #RDP #RAT #CobaltStrike #SeoPoisoning #GootLoader #DomainController #Troll #AlienVault
-
Cyber Security Updates
Malware Loaders Responsible for 80% of Security Incidents
Dealing with malware loaders poses intricate challenges for SOC teams.A recent exploration by ReliaQuest has unveiled a multitude of disruptive loader instances. Notably, the trio comprised of “QakBot” (also recognized as QBot, QuackBot, Pinkslipbot), “SocGholish,” and “Raspberry Robin” emerged as the predominant culprits.
#QakBot #Gootloader #Guloader #Ursnif #Chromeloader #ACCESSYSTEM
-
Introducing the newest major @tidalcyber TTP intelligence content roundup, the Initial Access & Malware Delivery Landscape matrix, now live in our free Community Edition platform: https://app.tidalcyber.com/share/43836024-a194-4ac7-9659-b51e88632e7f
The matrix covers 25 major & emerging #malware typically used to gain early footholds in victim environments, often leading to ingress of more impactful threats, especially #ransomware, #infostealers, cryptominers, & more. It includes many recognizable names (#QakBot, #IcedID, #Emotet, #Bumblebee, #Gootloader) plus several newer and less-discussed threats
The matrix includes 13 custom Technique Sets for threats not currently tracked in the #mitreattack knowledge base. All technique references derive from a large volume of recent, public #threat reporting (click the labels in the ribbon at the top of the matrix to view relevant source URLs for each threat)
An interactive link analysis visualization of connections among these threats, also derived from public reports, is also available here: https://onodo.org/visualizations/235067/
Community Edition matrices support easy identification of shared (and outlier) techniques among multiple threats, and quick & easy overlay or pivoting to defensive & offensive security capabilities relevant to your own #security stack. We’ll have a blog out soon reviewing our analysis of top & trending techniques common among these initial access threats
Tidal’s #Adversary Intelligence team remains focused on providing up-to-date #TTPintelligence, especially around traditionally under-represented yet widely relevant threats like crimeware. Other popular matrices in this theme include our Ransomware & Data Extortion Landscape matrix (https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a) and Major & Emerging Infostealers matrix (https://app.tidalcyber.com/share/ec62f5e0-bd40-476b-a560-7ad2779ea9e3), which each cover 20+ threats
Financially motivated adversaries often display a rapid pace of #TTP evolution, and this is especially apparent for #initialaccess threats. Register for our webinar on May 31 dedicated to TTP evolution, its drivers, and discussion around what defenders can do to address it and its implications: https://hubs.la/Q01NC23k0
#SharedWithTidal #threatinformeddefense #malware #infostealer #cryptominer #IAB #blueteam #detectionengineering #purpleteam #cyber
-
Introducing the newest major @tidalcyber TTP intelligence content roundup, the Initial Access & Malware Delivery Landscape matrix, now live in our free Community Edition platform: https://app.tidalcyber.com/share/43836024-a194-4ac7-9659-b51e88632e7f
The matrix covers 25 major & emerging #malware typically used to gain early footholds in victim environments, often leading to ingress of more impactful threats, especially #ransomware, #infostealers, cryptominers, & more. It includes many recognizable names (#QakBot, #IcedID, #Emotet, #Bumblebee, #Gootloader) plus several newer and less-discussed threats
The matrix includes 13 custom Technique Sets for threats not currently tracked in the #mitreattack knowledge base. All technique references derive from a large volume of recent, public #threat reporting (click the labels in the ribbon at the top of the matrix to view relevant source URLs for each threat)
An interactive link analysis visualization of connections among these threats, also derived from public reports, is also available here: https://onodo.org/visualizations/235067/
Community Edition matrices support easy identification of shared (and outlier) techniques among multiple threats, and quick & easy overlay or pivoting to defensive & offensive security capabilities relevant to your own #security stack. We’ll have a blog out soon reviewing our analysis of top & trending techniques common among these initial access threats
Tidal’s #Adversary Intelligence team remains focused on providing up-to-date #TTPintelligence, especially around traditionally under-represented yet widely relevant threats like crimeware. Other popular matrices in this theme include our Ransomware & Data Extortion Landscape matrix (https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a) and Major & Emerging Infostealers matrix (https://app.tidalcyber.com/share/ec62f5e0-bd40-476b-a560-7ad2779ea9e3), which each cover 20+ threats
Financially motivated adversaries often display a rapid pace of #TTP evolution, and this is especially apparent for #initialaccess threats. Register for our webinar on May 31 dedicated to TTP evolution, its drivers, and discussion around what defenders can do to address it and its implications: https://hubs.la/Q01NC23k0
#SharedWithTidal #threatinformeddefense #malware #infostealer #cryptominer #IAB #blueteam #detectionengineering #purpleteam #cyber
-
Introducing the newest major @tidalcyber TTP intelligence content roundup, the Initial Access & Malware Delivery Landscape matrix, now live in our free Community Edition platform: https://app.tidalcyber.com/share/43836024-a194-4ac7-9659-b51e88632e7f
The matrix covers 25 major & emerging #malware typically used to gain early footholds in victim environments, often leading to ingress of more impactful threats, especially #ransomware, #infostealers, cryptominers, & more. It includes many recognizable names (#QakBot, #IcedID, #Emotet, #Bumblebee, #Gootloader) plus several newer and less-discussed threats
The matrix includes 13 custom Technique Sets for threats not currently tracked in the #mitreattack knowledge base. All technique references derive from a large volume of recent, public #threat reporting (click the labels in the ribbon at the top of the matrix to view relevant source URLs for each threat)
An interactive link analysis visualization of connections among these threats, also derived from public reports, is also available here: https://onodo.org/visualizations/235067/
Community Edition matrices support easy identification of shared (and outlier) techniques among multiple threats, and quick & easy overlay or pivoting to defensive & offensive security capabilities relevant to your own #security stack. We’ll have a blog out soon reviewing our analysis of top & trending techniques common among these initial access threats
Tidal’s #Adversary Intelligence team remains focused on providing up-to-date #TTPintelligence, especially around traditionally under-represented yet widely relevant threats like crimeware. Other popular matrices in this theme include our Ransomware & Data Extortion Landscape matrix (https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a) and Major & Emerging Infostealers matrix (https://app.tidalcyber.com/share/ec62f5e0-bd40-476b-a560-7ad2779ea9e3), which each cover 20+ threats
Financially motivated adversaries often display a rapid pace of #TTP evolution, and this is especially apparent for #initialaccess threats. Register for our webinar on May 31 dedicated to TTP evolution, its drivers, and discussion around what defenders can do to address it and its implications: https://hubs.la/Q01NC23k0
#SharedWithTidal #threatinformeddefense #malware #infostealer #cryptominer #IAB #blueteam #detectionengineering #purpleteam #cyber
-
Introducing the newest major @tidalcyber TTP intelligence content roundup, the Initial Access & Malware Delivery Landscape matrix, now live in our free Community Edition platform: https://app.tidalcyber.com/share/43836024-a194-4ac7-9659-b51e88632e7f
The matrix covers 25 major & emerging #malware typically used to gain early footholds in victim environments, often leading to ingress of more impactful threats, especially #ransomware, #infostealers, cryptominers, & more. It includes many recognizable names (#QakBot, #IcedID, #Emotet, #Bumblebee, #Gootloader) plus several newer and less-discussed threats
The matrix includes 13 custom Technique Sets for threats not currently tracked in the #mitreattack knowledge base. All technique references derive from a large volume of recent, public #threat reporting (click the labels in the ribbon at the top of the matrix to view relevant source URLs for each threat)
An interactive link analysis visualization of connections among these threats, also derived from public reports, is also available here: https://onodo.org/visualizations/235067/
Community Edition matrices support easy identification of shared (and outlier) techniques among multiple threats, and quick & easy overlay or pivoting to defensive & offensive security capabilities relevant to your own #security stack. We’ll have a blog out soon reviewing our analysis of top & trending techniques common among these initial access threats
Tidal’s #Adversary Intelligence team remains focused on providing up-to-date #TTPintelligence, especially around traditionally under-represented yet widely relevant threats like crimeware. Other popular matrices in this theme include our Ransomware & Data Extortion Landscape matrix (https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a) and Major & Emerging Infostealers matrix (https://app.tidalcyber.com/share/ec62f5e0-bd40-476b-a560-7ad2779ea9e3), which each cover 20+ threats
Financially motivated adversaries often display a rapid pace of #TTP evolution, and this is especially apparent for #initialaccess threats. Register for our webinar on May 31 dedicated to TTP evolution, its drivers, and discussion around what defenders can do to address it and its implications: https://hubs.la/Q01NC23k0
#SharedWithTidal #threatinformeddefense #malware #infostealer #cryptominer #IAB #blueteam #detectionengineering #purpleteam #cyber
-
The latest Technique Set added to Tidal’s free Community Edition summarizes the TTPs observed in recent #SocGholish campaigns according to public threat reporting https://app.tidalcyber.com/share/4b901fc2-d021-4eff-bd53-0c9fa0259ecf
SocGholish is a highly active, JavaScript-based loader #malware used to deliver a wide variety of impactful threats (summarized in the original visual attached here). Many #ransomware families, the #CobaltStrike post-exploit framework, other remote access trojans (#RAT) and loaders, and tools for #ActiveDirectory enumeration, #detection evasion, and #credential theft have been linked to recent SocGholish campaigns
SocGholish appears on multiple security and #CTI vendors' top priority threat lists. Active since 2017, SentinelLabs researchers observed a 330%+ increase in SocGholish malware-staging servers between the first and second halves of 2022, and Sucuri researchers detected more than 25,000 websites newly compromised by the malware's operators through July 2022 alone. Initial infections predominantly come via file downloads from sites hosting fake web browser updates, although operators use some non-traditional email delivery techniques to drive compromised content towards potential victims. Like many of today's top #initialaccess threats, SocGholish victimology involves a wide range of industries
Consider layering the new set with other recent Community Edition content from @tidalcyber's Adversary Intelligence team, including our recent #Gootloader set (https://app.tidalcyber.com/share/796cacb6-3bb1-474b-9747-abcce2c47de2) or the set of techniques most recently associated with the ever-evolving #QakBot #trojan (https://app.tidalcyber.com/share/aef0f0c6-5212-4abf-9a24-3c81f518c59f), into one view to compare & contrast initial access techniques (https://app.tidalcyber.com/share/adb9581e-3318-4bc7-8d23-145891bf1ca4). Then take it a step further by layering mappings from your own defensive stack with the list of capabilities available in the Product Registry (https://app.tidalcyber.com/vendors). And stay tuned for our soon-to-be published overview matrix on the broad initial access/malware delivery ecosystem in today’s threat landscape, featuring more threats like the ones seen here
-
Struggling to differentiate & prioritize among the large set of opportunistic and “indiscriminate” threats in the landscape? Our new blog aims to help
Threat profiling generally focuses on identifying & prioritizing (rank-ordering) threats motivated to harm your organization. These include threats with clear targeting intent relative to your org or your industry, often a smaller set that is more straightforward to surface. Then comes the large pool of threats that seem to impact most sectors, maybe in some cases your vertical specifically or others trending in threat intel generally, regardless of explicitly links to your industry yet
With the high volume of recent activity from threats like #ransomware, #infostealers, & loader/initial access malware like #QakBot, #Gootloader, and many others, I’m seeing more awareness that these often broad-based threats should be on many security teams’ radars. But how do you keep from being overwhelmed by what often feels like an endlessly growing list of new threats?
@tidalcyber's latest blog (https://www.tidalcyber.com/blog/ransomware-threat-profiling-prioritizing-indiscriminate-threats) offers several strategies for helping make more sense out of this subset of threats, using major ransomware-as-a-service operations as a representative case study. Our guidance involves (where possible) leaning on metrics to rank-order groups linked to your industry, using technical sources to identify potential spikes in activity and quantifiably justify increased priority levels, and focusing defenses on discrete TTPs that might be common across the wide pool of these threats (summarized for major #RaaS in the attached table, with data sourced from the Ransomware & Data Extortion mega-matrix available in Tidal’s free Community Edition here: https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a)
These tips are often just a starting point – for more upcoming threat profiling guidance, subscribe to the Tidal blog here https://www.tidalcyber.com/blog and follow us on all major social platforms, and we look forward to hearing what other techniques you use to drive focus in the ever-evolving threat landscape
#threatinformeddefense #threatprofile #risk #intelligence #CTI
-
#Gootloader is a highly active banking Trojan-turned-loader #malware that has recently appeared on multiple vendors’ priority threat lists, attacking organizations in a wide range of verticals & countries. If your leadership or other stakeholders asked for a list of this threat's most common TTPs, would you be able to provide it quickly?
Now you can, with the Gootloader #TTP matrix available in Tidal’s free Community Edition: https://app.tidalcyber.com/share/796cacb6-3bb1-474b-9747-abcce2c47de2
Gootloader, also referred to by its related payload, #Gootkit, first emerged in 2014 but has been especially active since 2020. Despite this, technical reporting around its TTPs has been relatively light until even more recently. In the past two years alone, verticals including finance, #healthcare, defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, #IcedID (a common #ransomware precursor), & more. Industry-based #threat profiling can be a powerful tool, but even if your industry (or your corner of it) hasn’t yet directly observed Gootloader activity, we believe broad-based threats like this should be on most teams’ radars
Our matrix summarizes Gootloader TTPs detailed across several great recent technical reports. Reports from SentinelLabs, Cybereason, & The DFIR Report were helpfully pre-mapped to #mitreattack, and we mapped a couple other detailed analyses. Procedural details are even available for nearly all the included technique mappings – be sure to click the Technique Set’s label in the ribbon at the top of the screen to pivot into the Details page with this information & relevant source links throughout
Red Canary & The DFIR Report helpfully provided tool-agnostic suggested #detection logic for key behaviors observed during recent Gootloader campaigns here https://redcanary.com/blog/gootloader/ and here https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/. Take a wider view by layering entire segments of your defensive stack over the #CTI back in the Community Edition, by toggling on any of the mappings available in @tidalcyber's Product Registry https://app.tidalcyber.com/vendors
#SharedWithTidal #threatinformeddefense #CobaltStrike #initialaccess #blueteam
