SEO Poisoning to Domain Control: The Gootloader Saga Continues
released on 2024-02-26 @ 09:51:09 AM
In February 2023, a user downloaded and executed a file from a SEO-poisoned search result, leading to a Gootloader infection. Around nine hours later, Gootloader facilitated Cobalt Strike deployment into the registry and memory. The threat actor used SystemBC to tunnel RDP access, compromising domain controllers, backup servers, and other key servers. The threat actor interactively reviewed sensitive files via RDP, but no data exfiltration was confirmed.