Keypoints
- Gootloader is a multi-payload loader that uses SEO poisoning to deliver initial payloads and can drop secondary tools like Gootkit, Cobalt Strike, or Osiris.
- Darktrace DETECT first flagged rare external beaconing from a device (e.g., analyzetest[.]ir) and unusual internal SMB scanning on port 445 on 21 Sept 2023.
- Darktrace RESPOND immediately blocked SMB (port 445) access and enforced the device’s learned ‘pattern of life’ to inhibit lateral movement while minimizing business disruption.
- The device continued beaconing to multiple suspicious domains and attempted to download a Windows PE via FTP from ftp2[.]sim-networks[.]com on 26 Sept 2023, which RESPOND blocked by denying external connections.
- Cyber AI Analyst autonomously correlated beaconing, scanning, and file-transfer events into a single incident and the SOC escalated the case to the customer for remediation.
- Enhanced Monitoring models and Proactive Notification Services enabled continuous review and expert analyst support during containment.
MITRE Techniques
- [T1595] Scanning IP Blocks – Internal reconnaissance observed as an unusually large number of connections to internal locations and SMB port scanning: ‘the device performing internal reconnaissance, with an unusually large number of connections to other internal locations observed.’
- [T1071] Application Layer Protocol (Web Protocols) – C2 and beaconing over web protocols when the device ‘began to make regular connections to an external endpoint that was considered extremely rare for the network.’
- [T1102] Application Layer Protocol (External Communications) – Use of application-layer channels for one-way C2/beaconing as listed in the mapping: ‘Command and Control – Web Protocols , Application Layer Protocol, One-Way Communication…’
- [T1090] External Proxy – Use of external proxying techniques for command-and-control as noted in the mapping: ‘…External Proxy…’
- [T1095] Non-Application Layer Protocol – Use of non-application-layer methods for C2 as referenced in the mapping: ‘…Non-Application Layer Protocol…’
- [T1571] Non-Standard Port – Anomalous port usage for communications noted in mapping: ‘…Non-Standard Port.’
- [T1185] Man in the Browser – Collection via banking-trojan techniques consistent with a secondary payload (Gootkit): ‘a second stage payload known as Gootkit, which functions as a banking trojan and information-stealer.’
- [T1583] Web Services (Resource Development) – Use of compromised web services and SEO poisoning to deliver initial payloads: ‘infect networks via search engine optimization (SEO) poisoning.’
- [T1588] Malware (Resource Development) – Use of web resources and infrastructure to develop/distribute malware as listed in the mapping: ‘Resource Development – Web Services, Malware.’
- [T1176] Browser Extensions (Persistence) – Persistence mechanisms including browser extensions noted in the mapping: ‘Persistence – Browser Extensions (T1176)’.
Indicators of Compromise
- [Hostname] C2 and delivery hosts – analyzetest[.]ir (first rare beacon), fysiotherapie-panken[.]nl (reported malware delivery host), and 11 more hostnames observed on the breach device.
- [Payload Host / File Transfer] FTP payload download – ftp2[.]sim-networks[.]com (attempted Windows Portable Executable download) and a suspicious .exe file transfer via FTP.
- [Network Ports] Protocols and ports targeted – SMB scanning on port 445 (internal reconnaissance) and blocked external connections over port 443 (HTTPS) during containment actions.
On 21 September 2023, Darktrace DETECT identified anomalous outbound beaconing from a device to a previously unseen endpoint (e.g., analyzetest[.]ir) followed by rapid internal reconnaissance characterized by numerous SMB (port 445) connection attempts. DETECT’s models flagged the rare external SSL and sustained beaconing activity, and Cyber AI Analyst automatically launched an investigation to correlate the beaconing and scanning into a single incident.
Darktrace RESPOND immediately intervened: it blocked the device’s SMB traffic (port 445) and enforced the device’s learned ‘pattern of life’ to stop lateral movement while keeping normal functions intact. Over subsequent days RESPOND also blocked repeated connections to known malicious delivery hosts (e.g., fysiotherapie-panken[.]nl) on port 443 and ultimately prevented an attempted FTP download of a Windows Portable Executable from ftp2[.]sim-networks[.]com on 26 September 2023 by denying external connectivity.
The autonomous triage reduced analyst workload and bought time for human responders; Enhanced Monitoring models and the SOC escalated the incident to the customer and provided remediation guidance. By detecting early-stage C2/beaconing and stopping both internal scanning and external payload retrieval, the combined DETECT/RESPOND/AI Analyst workflow prevented the deployment of secondary payloads such as Gootkit, Cobalt Strike, or other follow-on tooling.