ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool PowGoop

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: PowGoop

NamesPowGoop
CategoryMalware
TypeLoader
Description(Palo Alto) The PowGoop downloader has two components: a DLL loader and a PowerShell-based downloader. The PowGoop loader component is responsible for decrypting and running the PowerShell code that comprises the PowGoop downloader. The PowGoop loader DLL that existed in the same environment as LogicalDuckBill had a filename of goopdate.dll that was likely sideloaded by the legitimate and signed Google Update executable. The sideloading process would start with the legitimate GoogleUpdate.exe file loading a legitimate DLL with a name of goopdate86.dll. The sideloading would occur when the goopdate86.dll library loads the goopdate.dll file, which effectively runs the PowGoop loader.
Information<https://unit42.paloaltonetworks.com/thanos-ransomware/>
<https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf>

Last change to this tool card: 19 October 2020

Download this tool card in JSON format

Previous: PowerView
Next: POWRUNER

All groups using tool PowGoop

ChangedNameCountryObserved

APT groups

XMuddyWater, Seedworm, TEMP.Zagros, Static KittenIran2017-Dec 2020 HOTX

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key