1. Home
  2. Software
  3. Goopy

Goopy

Goopy is a Windows backdoor and Trojan used by APT32 and shares several similarities to another backdoor used by the group (Denis). Goopy is named for its impersonation of the legitimate Google Updater executable.[1]

ID: S0477
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 19 June 2020
Last Modified: 11 July 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

Goopy has the ability to exfiltrate documents from infected systems.[1]

Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Goopy has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.[1]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

Goopy has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google.[1]
Enterprise T1140 反混淆/解码文件或信息

Goopy has used a polymorphic decryptor to decrypt itself at runtime.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Goopy has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.[1]

.005 命令与脚本解释器: Visual Basic

Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.[1]

Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Goopy has the ability to disable Microsoft Outlook's security policies to disable macro warnings.[1]

Enterprise T1071 .001 应用层协议: Web Protocols

Goopy has the ability to communicate with its C2 over HTTP.[1]

.003 应用层协议: Mail Protocols

Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.[1]

.004 应用层协议: DNS

Goopy has the ability to communicate with its C2 over DNS.[1]

Enterprise T1106 本机API

Goopy has the ability to enumerate the infected system's user name via GetUserNameW.[1]
Enterprise T1027 混淆文件或信息

Goopy's decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis.[1]
.001 Binary Padding

Goopy has had null characters padded in its malicious DLL payload.[1]
Enterprise T1070 .008 移除指标: Clear Mailbox Data

Goopy has the ability to delete emails used for C2 once the content has been copied.[1]
Enterprise T1033 系统所有者/用户发现

Goopy has the ability to enumerate the infected system's user name.[1]
Enterprise T1057 进程发现

Goopy has checked for the Google Updater process to ensure Goopy was loaded properly.[1]
Enterprise T1041 通过C2信道渗出

Goopy has the ability to exfiltrate data over the Microsoft Outlook C2 channel.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Goopy has the ability to maintain persistence by creating scheduled tasks set to run every hour.[1]

Groups That Use This Software

ID Name References
G0050 APT32

[1]

References

  1. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.