A recent wave of Gootkit malware loader attacks has targeted the Australian healthcare sector by leveraging legitimate tools like VLC Media Player.
Gootkit, also called Gootloader, is known to employ search engine optimization (SEO) poisoning tactics (aka spamdexing) for initial access. It typically works by compromising and abusing legitimate infrastructure and seeding those sites with common keywords.
Like other malware of its kind, Gootkit is capable of stealing data from the browser, performing adversary-in-the-browser (AitB) attacks, keylogging, taking screenshots, and other malicious actions.
Trend Micro’s new findings reveal that the keywords “hospital,” “health,” “medical,” and “enterprise agreement” have been paired with various city names in Australia, marking the malware’s expansion beyond accounting and law firms.
The starting point of the cyber assault is to direct users searching for the same keywords to an infected WordPress blog that tricks them into downloading malware-laced ZIP files.
“Upon accessing the site, the user is presented with a screen that has been made to look like a legitimate forum,” Trend Micro researchers said. “Users are led to access the link so that the malicious ZIP file can be downloaded.”
What’s more, the JavaScript code that’s used to pull off this trickery is injected into a valid JavaScript file at random sections on the breached website.
The downloaded ZIP archive, for its part, also contains a JavaScript file that, upon execution, not only employs obfuscation to evade analysis, but is further used to establish persistence on the machine by means of a scheduled task.
The execution chain subsequently leads to a PowerShell script that’s designed to retrieve files from a remote server for post-exploitation activity, which commences only after a waiting period that ranges from a couple of hours to as long as two days.
“This latency, which clearly separates the initial infection stage from the second stage, is a distinctive feature of Gootkit loader’s operation,” the researchers said.
Once the wait time elapses, two additional payloads are dropped – msdtc.exe and libvlc.dll – the former of which is a legitimate VLC Media Player binary that’s used to load the Cobalt Strike DLL component, followed by downloading more tools to facilitate discovery.
“The malicious actors behind [Gootkit] are actively implementing their campaign,” the researchers said. “The threats targeting specific job sectors, industries, and geographic areas are becoming more aggressive.”