| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Goopy has the ability to communicate with its C2 over HTTP. |
| enterprise |
T1071.003 |
Mail Protocols |
Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2. |
| enterprise |
T1071.004 |
DNS |
Goopy has the ability to communicate with its C2 over DNS. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
Goopy has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel. |
| enterprise |
T1059.005 |
Visual Basic |
Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2. |
| enterprise |
T1005 |
Data from Local System |
Goopy has the ability to exfiltrate documents from infected systems. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Goopy has used a polymorphic decryptor to decrypt itself at runtime. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
Goopy has the ability to exfiltrate data over the Microsoft Outlook C2 channel. |
| enterprise |
T1574 |
Hijack Execution Flow |
- |
| enterprise |
T1574.002 |
DLL Side-Loading |
Goopy has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google. |
| enterprise |
T1562 |
Impair Defenses |
- |
| enterprise |
T1562.001 |
Disable or Modify Tools |
Goopy has the ability to disable Microsoft Outlook’s security policies to disable macro warnings. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.008 |
Clear Mailbox Data |
Goopy has the ability to delete emails used for C2 once the content has been copied. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
Goopy has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe. |
| enterprise |
T1106 |
Native API |
Goopy has the ability to enumerate the infected system’s user name via GetUserNameW. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Goopy‘s decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis. |
| enterprise |
T1027.001 |
Binary Padding |
Goopy has had null characters padded in its malicious DLL payload. |
| enterprise |
T1057 |
Process Discovery |
Goopy has checked for the Google Updater process to ensure Goopy was loaded properly. |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.005 |
Scheduled Task |
Goopy has the ability to maintain persistence by creating scheduled tasks set to run every hour. |
| enterprise |
T1033 |
System Owner/User Discovery |
Goopy has the ability to enumerate the infected system’s user name. |