Gootloader inside out

    Tuesday, January 21, 2025 In: Threat Research Print

    Date: 01/21/2025

    Severity: High

    Summary

    The Gootloader malware family employs a unique social engineering tactic to infect computers. Its operators use hijacked Google search results to redirect users to compromised, legitimate WordPress websites. These sites display a fake online message board where a fabricated conversation takes place. In this setup, a fake visitor asks a fake site admin the exact question the victim was searching for, leading them to a link that delivers the malware.

    Indicators of Compromise (IOC) List

    Domain\URLs :

    my-game.biz

    http://5.8.18.7/filezzz.php

    http://5.8.18.7/filesst.php?a=$i&b=$u&c=$r&d=$h&e=$g

    IP Address : 

    5.8.18.7

    5.8.18.159

    91.215.85.52

    Hash :

    03a46ad7873ddb6663377282640d45e38697e0fdc1512692bcaee3cbba1aa016

1fcc418bdd7d2d40e7f70b9d636735ab760e1044bb76f8c2232bd189e2fd8be7

258cb1d60a000e8e0bb6dc751b3dc14152628d9dd96454a3137d124a132a4e69

5d50a7cf15561f35ed54a2e442c3dfdac1d660dc18375f7e4105f50eec443f27

7bcffa722687055359c600e7a9abf5d57c9758dccf65b288ba2e6f174b43ac57

af50c735173326b2af2e2d2b4717590e813c67a65ba664104880dc5d6a58a029

89672c08916dd38d9d4b7f5bbf7f39f919adcaebc7f8bb1ed053cb701005499a

0874d307fc45886d2751cd9e6816513dc3e1604e514ef1b291bbe7b1a887cd96

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domain\URLs :

    userdomainname like "http://5.8.18.7/filesst.php?a=$i&b=$u&c=$r&d=$h&e=$g" or url like "http://5.8.18.7/filesst.php?a=$i&b=$u&c=$r&d=$h&e=$g" or userdomainname like "my-game.biz" or url like "my-game.biz" or userdomainname like "http://5.8.18.7/filezzz.php" or url like "http://5.8.18.7/filezzz.php"

    IP Address : 

    dstipaddress IN ("5.8.18.7","91.215.85.52","5.8.18.159") or ipaddress IN ("5.8.18.7","91.215.85.52","5.8.18.159") or publicipaddress IN ("5.8.18.7","91.215.85.52","5.8.18.159") or srcipaddress IN ("5.8.18.7","91.215.85.52","5.8.18.159")

    Hash :

    sha256hash IN ("5d50a7cf15561f35ed54a2e442c3dfdac1d660dc18375f7e4105f50eec443f27","03a46ad7873ddb6663377282640d45e38697e0fdc1512692bcaee3cbba1aa016","1fcc418bdd7d2d40e7f70b9d636735ab760e1044bb76f8c2232bd189e2fd8be7","7bcffa722687055359c600e7a9abf5d57c9758dccf65b288ba2e6f174b43ac57","af50c735173326b2af2e2d2b4717590e813c67a65ba664104880dc5d6a58a029","89672c08916dd38d9d4b7f5bbf7f39f919adcaebc7f8bb1ed053cb701005499a","0874d307fc45886d2751cd9e6816513dc3e1604e514ef1b291bbe7b1a887cd96","258cb1d60a000e8e0bb6dc751b3dc14152628d9dd96454a3137d124a132a4e69")

    Reference:   

    https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/ 


    Tags

    MalwareGootloader

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.