Malware Activity
New SEO Poisoning Campaign Utilizing "Gootkit" Malware Loader Targets the Australian Healthcare Sector
The operators of the "Gootkit" malware loader (otherwise known as "Gootloader") have started a new search engine optimization (SEO) poisoning campaign targeting Australian healthcare organizations. This campaign leverages VLC Media Player in order to deploy the post-exploitation toolkit Cobalt Strike onto compromised machines in order to establish initial access into the corporate networks. Trend Micro researchers detailed that the campaign began in October of 2022 and was able to rank highly in Google's search results for medical-related keywords, including "enterprise agreement", "hospital", "medical", and "health" when combined with Australian city names. The websites commonly used in Gootkit campaigns are compromised sites with JavaScript injected to display fraudulent Q&A forums containing links to the malware. The threat actors in this latest campaign are utilizing "a direct download link for what is supposedly a healthcare-related agreement document template inside a ZIP archive." Once the archive is opened by a victim and the JavaScript file is launched, the Gootkit loader malware is downloaded to the machine. The malware downloads an executable that is a legitimate and signed copy of VLC Media Player that is disguised as the Microsoft Distributed Transaction Coordinator (MSDTC) service. The malware also downloads a dynamic linked library (DLL) that is embedded with the Cobalt Strike module. When the executable is launched, a DLL side-loading attack commences that leads to a PowerShell script initiating the final execution chain events that allow the actors to "perform network scans, move laterally throughout the network, steal account credentials and files, and deploy more dangerous payloads such as ransomware." It should be noted that the PowerShell script retrieves data only after a waiting period of a few hours to roughly two (2) days, which is " ..
Support the originator by clicking the read the rest link below.
