CyberRocketJessie (Valken)

Whelp. .#Gootloader up to some weird SEO poisoning. Don't ask how this one was found.

RequestURL: hxxps://cbxmodulars[.]com/can-you-legally-pee-in-your-car/

Sha256: 68433d5f8d59c5817dd50b6d37004ed2ff3a3ef53c6627eb157cbe96e972c263

Zip > JS (FileName (can't make this up): canyoulegallypeeinyourcar96503.js) > Wscript fun (TECHNI~1[.]JS).

Hardcoded C2s

#cybersecurity #SEOPoisoning #mondayfunday

Aug 14, 2023 at 1:42pmWeb
Show threadCyberRocketJessie (Valken)Aug 15, 2023

More on this #Gootloader . It appears to be part of this August campaign: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gootloader-why-your-legal-document-search-may-end-in-misery/

Make sure if you visit a site and get the WP forum page with the link (and you want the sample), that you download immediately. They have some cool evasion tricks such as x-pingback, etc. to look to see if you've visited before and meet criteria, in order to hide their payloads from researchers.

#cybersecurity #initialaccessbroker #wordpress

Gootloader: Why your Legal Document Search May End in Misery

Recently, we’ve seen a noticeable surge in malware cases linked to a malicious payload delivery system known as Gootloader.

Trustwave