Skip to content

S0477 Goopy

Goopy is a Windows backdoor and Trojan used by APT32 and shares several similarities to another backdoor used by the group (Denis). Goopy is named for its impersonation of the legitimate Google Updater executable.1

Item Value
ID S0477
Associated Names
Type MALWARE
Version 1.1
Created 19 June 2020
Last Modified 11 July 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Goopy has the ability to communicate with its C2 over HTTP.1
enterprise T1071.003 Mail Protocols Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.1
enterprise T1071.004 DNS Goopy has the ability to communicate with its C2 over DNS.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Goopy has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.1
enterprise T1059.005 Visual Basic Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.1
enterprise T1005 Data from Local System Goopy has the ability to exfiltrate documents from infected systems.1
enterprise T1140 Deobfuscate/Decode Files or Information Goopy has used a polymorphic decryptor to decrypt itself at runtime.1
enterprise T1041 Exfiltration Over C2 Channel Goopy has the ability to exfiltrate data over the Microsoft Outlook C2 channel.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Goopy has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Goopy has the ability to disable Microsoft Outlook’s security policies to disable macro warnings.1
enterprise T1070 Indicator Removal -
enterprise T1070.008 Clear Mailbox Data Goopy has the ability to delete emails used for C2 once the content has been copied.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Goopy has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.1
enterprise T1106 Native API Goopy has the ability to enumerate the infected system’s user name via GetUserNameW.1
enterprise T1027 Obfuscated Files or Information Goopy‘s decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis.1
enterprise T1027.001 Binary Padding Goopy has had null characters padded in its malicious DLL payload.1
enterprise T1057 Process Discovery Goopy has checked for the Google Updater process to ensure Goopy was loaded properly.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Goopy has the ability to maintain persistence by creating scheduled tasks set to run every hour.1
enterprise T1033 System Owner/User Discovery Goopy has the ability to enumerate the infected system’s user name.1

Groups That Use This Software

ID Name References
G0050 APT32 1

References