Gootloader (Deprecated) (3eec857e-dce3-4865-a65f-3ad5a559a3e6)
We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: "Gootloader" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.
Gootloader is a highly active banking Trojan-turned-loader malware that has attacked organizations in a wide range of verticals and countries. Gootloader, also referred to by its related payload, Gootkit, first emerged in 2014 but has been especially active since 2020. In the past two years alone, verticals including finance, healthcare, defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, IcedID (a common ransomware precursor), & more. Cybereason indicates the financial & healthcare sectors are especially impacted.[Cybereason Gootloader February 2023] Red Canary & The DFIR Report provide tool-agnostic suggested detection logic for key behaviors observed during recent Gootloader campaigns.[Red Canary Gootloader April 2023][DFIR Report Gootloader]
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| BlackSuit Ransomware Actors (1d751794-ce94-4936-bf45-4ab86d0e3b6e) | Tidal Groups | Gootloader (Deprecated) (3eec857e-dce3-4865-a65f-3ad5a559a3e6) | Tidal Software | 1 |