The Goot Camp campaign targeted users looking for business-related documents online to drop variants from the GootLoader malware family.
Downloading and opening the malicious ZIP archive launched a series of scripts resulting in the system infected with malicious software including a Cobalt Strike beacon.
The operation also used the FONELAUNCH and SNOWCONE loaders to retrieve payloads from remote locations and load malicious code into memory.
SkyWatchSM Alert Legend
Glesec Information Sharing Protocol
GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).
Disclosure is Not Limited.
Limited Disclosure, Restricted Only to the Community.
Limited Disclosure, restricted to the Participant's Organization.
Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.