Request a Demo
Rewterz
Rewterz Threat Alert – Darkside Ransomware – Active IOCs
June 17, 2021
Rewterz
Rewterz Threat Alert – Lokibot Malware – Active IOCs
June 18, 2021

Rewterz Threat Alert – Gootloader – Active IOCs

Severity

High

Analysis Summary

Gootloader, the multi-payload malware platform, is actively targeting entities in the US, Germany, and South Korea. The infection chain begins with social engineering techniques that include manipulated search engine optimization (SEO), which brings malicious websites to the top of the results on search engine websites. This fraudulent forum website includes a link that, when clicked, initiates the download of a JavaScript file and then begins the next stages of the attack. Using fileless techniques, the malicious activity can remain undetected by the user and allow the download of additional malware, including the Kronos malware, Cobalt Strike exploitation tool, the Gootkit trojan, or Sodinokibi ransomware.

Impact

  • Malware installation
  • Detection evasion
  • Information theft

Indicators of Compromise

MD5

  • 3ea472d1768368f680304fd5c7c5d8b3
  • d11ddfbef07b0b4f6151696914a3c925
  • 90ba9e9a55dea15cbd18af945d408fa9
  • 59bf2ddd42966a16570d3c55cc8b69d9
  • e2700e6b54c0e660578f2ac20cb1d753
  • ea903cedba764e9c2c499116be48c207
  • dbbf31645fd10870ce04c0fb36ae309c
  • 35c104067184f8075a2874bef3908090
  • 8acc27ca61b44a3a96477c92dfa343f9
  • 7b2bbd7fba2efdbc4011d3054e75d7ce

SHA-256

  • a2fd2217ddc92cb2bb31b701ac30b619b5471d19d09de81ada226d429a85d3a1
  • 46c776ee07ccbc05603b99537db9ae6d550813bb6f04eff779f56dde59adab6d
  • cd4c888d3ca2e7d1dac3e24677862dee39ba2705e27da67c587a51aefb289585
  • 849f42641d367877bdfe1af7f1bba32105374e3afa93d229849849e5c5066d02
  • 6451ad4ee1a02cb1dc8985e410382936fdfb4b26628fe75e0aeee8e2a4610574
  • 26859dfdbadce76b663273e692ad6f094ab4074fd73bcefd72f75ce0f337d01e
  • c74f456b9ff90d15707f990c789dc37c3db4e07fc5f23871b2a3811b3904a310
  • 386d62068fffb0780903f098a95fc7a9adfe43cf353c2daea45b6e82ae32c48d
  • 42c91e4826facf920ee825d23bb500f3f21d1dadf1706330842cca5584c6d418
  • dc2017cef34a9cc060856c956e1d0684dbd810684662a66b510b2bfbb7737aee

SHA-1

  • fffbf5f4eaf8531b6c57253e3a109dcd6810a259
  • ffdff873f6a13881117e11185000e38c64221145
  • ffd6a83b96c528609dd53901a78c1233f3b07ff2
  • ff9c809e5c3b234986e359f23146f366168ef8ff
  • ff3f6a8195d7f202f125e0cd5e70ac2a5f202b70
  • fef9107c9eda5b90bc81a231e32ef618cff22561
  • fec894a0749e480d09312335e65144e54e43eb2d
  • fea626706aade1f7d9c8c1867cda8a5166b11829
  • fe822272db082131ed64e682bb9536bb309eb58f
  • fe633bcf94bd4657bc7c0865e051633b9f68b24e

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Do not download files from untrusted sources or emails.