Gootloader | Threat Detection Overview | Huntress

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Gootloader abuses WordPress comment endpoints (/wp-comments-post.php) to deliver XOR-encrypted ZIP payloads via POST requests: ‘the loader abuses WordPress’s comment submission endpoint (/wp-comments-post.php) to deliver encrypted payloads.’
• [T1204.002] User Execution: Malicious File – Victims click fake “Download” pop-ups triggering JavaScript that serves and decrypts payloads: ‘The user sees a convincing pop-up displaying a download progress indicator… while the site serves an XOR-encrypted ZIP archive.’
• [T1036.005] Masquerading: Match Legitimate Name or Location – Malicious JavaScript masquerades as jQuery v3.0.0 and embeds obfuscated malicious code in noisy string fragments: ‘This JavaScript file masquerades as jQuery v3.0.0 while embedding heavily obfuscated malicious code…’
• [T1059.001] Command and Scripting Interpreter: PowerShell – Second-stage PowerShell beacons, enumerates environment/processes, and executes received commands from C2: ‘we were able to produce a readable second-stage PowerShell script… the script executes received PowerShell commands.’
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence created via Startup folder shortcuts launching JavaScript under %AppData% using Windows 8.3 short filenames: ‘approximately 10-20 minutes later, two persistence mechanisms would be created leveraging Startup folder (T1547.001)…’
• [T1046] Network Service Discovery – Actor performs domain-wide local admin scanning and AD enumeration (SPN scanning) to identify high-value targets: ‘This command scans all domain computers to find where the current user has local admin access.’
• [T1021.006] Lateral Tool Transfer: Windows Remote Management – Lateral movement via WinRM to reach the Domain Controller: ‘the threat actor moved laterally via WinRM (Windows Remote Management) to the Domain Controller.’
• [T1136.001] Create Account: Local Account – Threat actor created local/domain privileged accounts such as sccmad and bpadmin and added them to Domain Admins or Remote Desktop Users: ‘net USER sccmad /ADD … net group “Domain Admins” sccmad /ADD /DOMAIN’.
• [T1003.003] OS Credential Dumping: NTDS – Actor used ntdsutil to dump NTDS.dit on the Domain Controller for potential credential extraction: ‘the threat actor used ntdsutil to dump the NTDS.dit database (T1003.003)’.
• [T1070.001] Indicator Removal on Host: Clear Windows Event Logs – Post-operation cleanup included clearing event logs and deleting Terminal Server client registry keys: ‘performed cleanup activities… including clearing event logs and deleting registry keys related to Terminal Server client connections (T1070.001).’
• [T1105] Ingress Tool Transfer – Deployment of Supper backdoor and proxy DLL on compromised hosts to enable remote control and tunneling: ‘Supper SOCKS5 backdoor is commonly used by Vanilla Tempest. The backdoor has remote control capabilities over compromised hosts and facilitates the tunneling of network traffic.’