Intro:

The Gootkit is still broken, but now I’ve observed there is a change with the configured C2. Read ahead to learn more.

Artifact Source:

If you take a gander at the beaconing domains in the snip below, you can see that they do not contain xmlrpc.php.

Why is this interesting:

This is of interest because the last article we posted (“Gootkit is broken right now”, https://malasada.tech/gootkit-is-broken-right-now/), we showed a simple countermeasure to block requests to xmlrpc.php. xmlrpc.php could be legitimately used, but it’s easy to identify beaconing activity when a client IP has an excessive amount of requests to the same 10 URLs.

Are we amidst an upgrade? Will they be permanently removing xmlrpc.php from their C2? Stay tuned to this here website as we observe and report straight from the cyber front lines!

Resources:

Twitch Stream Video:

https://www.twitch.tv/videos/2120974865

AnyRun Session:

https://app.any.run/tasks/c5b88f7f-701f-43ad-bd1a-2278a79aaffe

GK Forum source:

https[:]//www[.]casagaribaldi[.]it/2022/04/14/what-is-a-surety-bond-in-court-philippines/

GK File source:

https[:]//www[.]gxtfinance[.]com/english.php

File info:

What_is_a_surety_bond_in_court_philippines_43315.zip:

4e9b229c7283652cfa613c0ff8e3704ddd004567bcfe3dc87d7bfc602dc55e74

https://www.virustotal.com/gui/file/4e9b229c7283652cfa613c0ff8e3704ddd004567bcfe3dc87d7bfc602dc55e74/details

what is a surety bond in court philippines 31948.js

67040b1f1208d8b610792399f4c72fc139de122d5f675fc638f0a0166815bafb

https://www.virustotal.com/gui/file/67040b1f1208d8b610792399f4c72fc139de122d5f675fc638f0a0166815bafb/details

Beaconing domains:

“https[:]//onlinemarketing[.]nl/”,

“https[:]//knolpower[.]nl/”,

“https[:]//www[.]nada-editions[.]fr/”,

“https[:]//www[.]lernenwieesgeht[.]de/”,

“https[:]//quakerknoll[.]org/”,

“https[:]//healthygut[.]com/”,

“https[:]//camerashop[.]fi/”,

“https[:]//declutteringschool[.]com/”,

“https[:]//allaboutpoolrepair[.]com/”,

“https[:]//diyot[.]net/”

One thought on “Is Gootkit Updating Their C2 Infrastructure?”

Comments are closed.