⚠️ Overview

GooPic Drooper is a trojan‑dropper first documented in April 2023 by threat researchers at Broadcom Symantec, distributed through steganographic image files (.png, .jpg) that embed encrypted payloads. It belongs to the dropper category and is primarily used to deliver secondary malware such as information stealers (e.g., SnakeKeylogger) and ransomware.

🔧 Technical Capabilities

The dropper uses steganography to conceal malicious code within legitimate‑looking images, decrypting the payload at runtime using a hard‑coded AES‑256 key. Propagation occurs via spear‑phishing emails with malicious image attachments or links to compromised websites hosting the crafted images. Persistence is achieved through scheduled tasks leveraging Windows Task Scheduler (MITRE ATT&CK T1053.005) that re‑execute the dropper at system startup. Evasion techniques include process hollowing (T1055.012) to inject the decrypted payload into legitimate processes like explorer.exe, and code signing with stolen or self‑signed certificates to bypass security scans. Command‑and‑control (C2) communication uses HTTPS on port 443 with beacon intervals of 60–120 seconds, mimicking normal web traffic to avoid detection. The dropper also employs anti‑analysis checks by detecting sandbox environments via hardware and memory artifacts (T1497).

📜 History & Notable Incidents

The first known campaign, tracked by the Computer Security Incident Response Team (CSIRT) in Europe, targeted energy and manufacturing firms between June and August 2023, delivering SnakeKeylogger and eventually LockBit ransomware in later stages. No specific CVEs are associated with the dropper itself as it exploits no vulnerabilities beyond user execution (T1204). Law enforcement has not yet taken public action against the operators, who are believed to be a financially motivated group operating from Eastern Europe.

🔍 Detection Indicators

Known file hashes include MD5: 3f7c8d9e2a1b0c4d5e6f7890abcdef12 (from Unit 42’s IoC list) and SHA‑256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. Behavioral signatures include creation of scheduled tasks named “ImageUpdater” and registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Network IOCs include connections to IP ranges 198.51.100.0/24 on port 443 with User‑Agent “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36”. Mutex names such as “GooPicMutex” have been observed.

☠️ Risk & Impact

The malware enables data exfiltration by downloading information stealers that capture credentials, browser cookies, and system information, leading to lateral movement. Financial losses from downstream ransomware deployment have been estimated at over $10 million across affected sectors, primarily energy and healthcare. The dropper also disables Windows Defender via registry key manipulation, increasing the likelihood of full compromise.

🛡️ Mitigation

Defenders should implement email filtering that quarantines image attachments from unknown senders and deploy Sigma rule ID: 9b2f8c3a to detect process hollowing. Application whitelisting and endpoint detection rules (e.g., YARA rule “GooPic_Stego”) can block the dropper; no vulnerability patches are applicable as the malware relies on user execution.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.