Gootloader Drops Cobalt Strike Beacon Through SEO Poisoning
In February 2023 a security breach was identified where a user inadvertently downloaded and executed a file from a search result poisoned by SEO tactics resulting in a Gootloader infection. Subsequently Gootloader facilitated the deployment of a Cobalt Strike beacon payload into the hosts registry which was then executed in memory approximately nine hours later. The threat actor utilized SystemBC to tunnel RDP access into the network leading to compromises of domain controllers backup servers and other critical systems. The threat actor interactively reviewed sensitive files using RDP but it remains uncertain if any data was exfiltrated.