A wave of Gootkit malware loader attacks is targeting the Australian healthcare sector with the help of legitimate tools such as VLC Media Player.
Gootkit, also known as Gootloader, is known to employ search engine optimization (SEO) poisoning tactics (aka spamdex) for initial access. It usually works by compromising and exploiting legitimate infrastructure and seeding those sites with common keywords.
Like other malware of its kind, Gootkit can steal data from browsers and perform adversary-in-the-browser (AitB) attacks, keylogging, taking screenshots, and other malicious actions.
New findings from Trend Micro reveal that the keywords “hospital,” “health,” “medical care,” and “corporate contract” are combined with various city names in Australia, suggesting that the malware is targeting accounting firms and It shows that we are expanding beyond the law firm.
The attack starts by luring users searching for the same keyword to an infected WordPress blog to download a malware-laden ZIP file.
“When visiting the site, users are presented with a screen disguised as a legitimate forum,” said Trend Micro researchers. “Users are enticed to visit a link so that they can download a malicious ZIP file.”
Additionally, the JavaScript code used to carry out this ruse is injected into valid JavaScript files in random sections of the compromised website.
The downloaded ZIP archive not only uses obfuscation to avoid analysis at runtime, but also contains JavaScript files that are further used by scheduled tasks to establish persistence on the machine. increase.
The execution chain then leads to a PowerShell script designed to retrieve files from remote servers and perform post-exploitation activities. The script only starts after a few hours to his two day waiting period.
“This latency, which clearly distinguishes between the initial and secondary stages of infection, is a distinguishing feature of Gootkit loader behavior,” said the researchers.
After the wait time, two additional payloads are dropped: msdtc.exe and libvlc.dll. The former is a legitimate VLC Media Player binary used to load the Cobalt Strike DLL component, which then downloads more tools to facilitate detection.
“Malicious actors behind [Gootkit] “Threats targeting specific occupations, industries and geographies are becoming more aggressive,” said the researchers.