PowGoop

Description

(Palo Alto) The PowGoop downloader has two components: a DLL loader and a PowerShell-based downloader. The PowGoop loader component is responsible for decrypting and running the PowerShell code that comprises the PowGoop downloader. The PowGoop loader DLL that existed in the same environment as LogicalDuckBill had a filename of goopdate.dll that was likely sideloaded by the legitimate and signed Google Update executable. The sideloading process would start with the legitimate GoogleUpdate.exe file loading a legitimate DLL with a name of goopdate86.dll. The sideloading would occur when the goopdate86.dll library loads the goopdate.dll file, which effectively runs the PowGoop loader.

Names

Name
PowGoop

Type

Loader

Information

https://unit42.paloaltonetworks.com/thanos-ransomware/
https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east

Mitre Attack

https://attack.mitre.org/software/S1046/

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powgoop

Other Information

Uuid

5bb80638-3bd5-4921-adc9-ef529ced2d91

Last Card Change

2022-12-30

Threat Intelligence Garden

Explorer

PowGoop

PowGoop

Description

Names

Category

Type

Information

Mitre Attack

Malpedia

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks