216.73.217.22

Guntior - the story of an advanced bootkit that doesn't rely on Windows disk drivers

· Published 08/05/2024 13:32 · Modified 08/05/2024 17:29

Export JSON

Essential information

Published
08/05/2024 13:32
Modified
08/05/2024 17:29
Tags
2024-05-03 2024-05-04 2024-05-05 2024-05-06 2024-05-07 2024-05-08 ata bus dll path explorer findwindow guntior ime file ioctl mbr mebroot ntfs payload dll rootkit rovnix tdl4 tidserv windows
Related entities
6 observables, 9 techniques (mitre), 1 malware

Description

Amid the rise of bootkits at the time, a dropper was captured in-the-wild and posted on a malware tracker. The malware was called "", named after the device object its authors had chosen for it (\Device\). The name also appears in AV detections.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (6)

  • 183.60.132.220
  • eddbe87f2009cb3199def0845ccf01d0397c126aca6f55e2a9516616825cebb1
  • e49ad00deda88a198f2728a3d276f0b55f892d3088bc861538a005e443d81a92
  • b32cf71e325ceaa8982e6ebed33f95894f2591397e08404368fbaa6dce1095e3
  • 8eb365237e4cfe478b228d276598ff58c0b133fbcd374024b5903137cf196a3d
  • 4fdc39276228cab7ef1ef26a084e920760fdaacd78b29e776f09da0a95ae39b0

Techniques (MITRE) (9)

  • T1561
    Disk Wipe
  • T1014
    Rootkit
  • T1574
    Hijack Execution Flow
  • T1547
    Boot or Logon Autostart Execution
  • T1543
    Create or Modify System Process
  • T1055
    Process Injection
  • T1140
    Deobfuscate/Decode Files or Information
  • T1056
    Input Capture
  • T1562
    Impair Defenses

Malware (1)

  • Guntior
    Family
    Published 08/05/2024 13:32 · Modified 08/05/2024 13:32

External references