Date: 11/12/2024
Severity: Critical
Summary
On March 27, 2024, the MDR team conducted a proactive threat hunting campaign across several customer environments, responding to recent reports of a new GootLoader variant actively exploited in the wild. Our investigation found that the threat actor was using SEO poisoning through an accessible online forum, easily located via a straightforward Google search for "Do you need a license to own a Bengal cat in Australia."
Indicators of Compromise (IOC) List
Domains\URLs : | https://ledabel.be/en/are-bengal-cats-legal-in-australia-understanding-the-laws-and-regulations/#:~:text=In%20most%20cases%2C%20you%20do,a%20Bengal%20cat%20in%20Australia https://www.chanderbhushan.com/doc.php https://serviciilaser.ro/xmlrpc.php https://metropole.com.au/xmlrpc.php https://fannisho.com/xmlrpc.php https://gobranded.com/xmlrpc.php https://climatehero.me/xmlrpc.php https://wyantgroup.com/xmlrpc.php https://rkbaienfurt.de/xmlrpc.php https://beezzly.com/xmlrpc.php https://playyourbeat.com/xmlrpc.php https://wowart.vn/xmlrpc.php |
Hash : |
435f48667b32c3ab8bb806a8783c0fc40af86e6c5cbf6f621d6e1a3f331483ed
ea781eef1da03ea2c3b5250ce26b00445d8a5123bbb0575c583211cca53c61db
9a7e79d4ff235feb12672979dfc073d2b4572233772ae500ef6b69c670a9820e
5f2c97499943878d853332da541138bd6ccbafca7e00d6f90d06545b27b66ca3 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs : | userdomainname like "https://beezzly.com/xmlrpc.php" or url like "https://beezzly.com/xmlrpc.php" or userdomainname like "https://climatehero.me/xmlrpc.php" or url like "https://climatehero.me/xmlrpc.php" or userdomainname like "https://www.chanderbhushan.com/doc.php" or url like "https://www.chanderbhushan.com/doc.php" or userdomainname like "https://fannisho.com/xmlrpc.php" or url like "https://fannisho.com/xmlrpc.php" or userdomainname like "https://gobranded.com/xmlrpc.php" or url like "https://gobranded.com/xmlrpc.php" or userdomainname like "https://metropole.com.au/xmlrpc.php" or url like "https://metropole.com.au/xmlrpc.php" or userdomainname like "https://rkbaienfurt.de/xmlrpc.php" or url like "https://rkbaienfurt.de/xmlrpc.php" or userdomainname like "https://ledabel.be/en/are-bengal-cats-legal-in-australia-understanding-the-laws-and-regulations/#:~:text=In%20most%20cases%2C%20you%20do,a%20Bengal%20cat%20in%20Australia" or url like "https://ledabel.be/en/are-bengal-cats-legal-in-australia-understanding-the-laws-and-regulations/#:~:text=In%20most%20cases%2C%20you%20do,a%20Bengal%20cat%20in%20Australia" or userdomainname like "https://playyourbeat.com/xmlrpc.php" or url like "https://playyourbeat.com/xmlrpc.php" or userdomainname like "https://wowart.vn/xmlrpc.php" or url like "https://wowart.vn/xmlrpc.php" or userdomainname like "https://serviciilaser.ro/xmlrpc.php" or url like "https://serviciilaser.ro/xmlrpc.php" or userdomainname like "https://wyantgroup.com/xmlrpc.php" or url like "https://wyantgroup.com/xmlrpc.php" |
Hash : |
sha256hash IN ("435f48667b32c3ab8bb806a8783c0fc40af86e6c5cbf6f621d6e1a3f331483ed","ea781eef1da03ea2c3b5250ce26b00445d8a5123bbb0575c583211cca53c61db","9a7e79d4ff235feb12672979dfc073d2b4572233772ae500ef6b69c670a9820e","5f2c97499943878d853332da541138bd6ccbafca7e00d6f90d06545b27b66ca3")
|
Reference:
https://news.sophos.com/en-us/2024/11/06/bengal-cat-lovers-in-australia-get-psspsspssd-in-google-driven-gootloader-campaign/