A recent wave of Gootkit malware loader attacks has targeted the Australian healthcare sector by leveraging legitimate tools like VLC Media Player.
Gootkit, also called Gootloader, is known to employ search engine optimization (SEO) poisoning tactics (aka spamdexing) for initial access. It typically works by compromising and abusing legitimate infrastructure and seeding those sites with common keywords.
Like other malware of its kind, Gootkit is capable of stealing data from the browser, performing adversary-in-the-browser (AitB) attacks, keylogging, taking screenshots, and other malicious actions.
Trend Micro's new findings reveal that the keywords "hospital," "health," "medical," and "enterprise agreement" have been paired with various city names in Australia, marking the malware's expansion beyond accounting and law firms.
The starting point of the cyber assault is to direct users searching for the same keywords to an infected WordPress blog that tricks them into downloading malware-laced ZIP files.
"Upon accessing the site, the user is presented with a screen that has been made to look like a legitimate forum," Trend Micro researchers said. "Users are led to access the link so that the malicious ZIP file can be downloaded."
The execution chain subsequently leads to a PowerShell script that's designed to retrieve files from a remote server for post-exploitation activity, which commences only after a waiting period that ranges from a couple of hours to as long as two days.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
"This latency, which clearly separates the initial infection stage from the second stage, is a distinctive feature of Gootkit loader's operation," the researchers said.
Once the wait time elapses, two additional payloads are dropped – msdtc.exe and libvlc.dll – the former of which is a legitimate VLC Media Player binary that's used to load the Cobalt Strike DLL component, followed by downloading more tools to facilitate discovery.
"The malicious actors behind [Gootkit] are actively implementing their campaign," the researchers said. "The threats targeting specific job sectors, industries, and geographic areas are becoming more aggressive."