Australian Healthcare Segment Targeted in Latest Gootkit Malware Attacks

Australian Healthcare Segment Targeted in Latest Gootkit Malware Attacks

January 23, 2023 : Gootkit malware loader attacks have directed the Australian healthcare arena by leveraging legitimate tools like VLC Media Player.

Gootloader, also known as Gootkit uses search engine optimization (SEO) poisoning strategy (spamdexing) for initial access. It typically works by jeopardizing and abusing legitimate infrastructure and implanting those sites with common keywords.

Similar to other malware, Gootkit can steal data from the browser, executing adversary-in-the-browser (AitB) attacks, keylogging, grabbing screenshots, and other malicious actions.

Trend Micro’s new results show that the keywords “medical,”  “hospital,” “health,” and “enterprise agreement” have been paired with different city names in Australia, marking the malware’s growth beyond accounting and law firms.

The beginning point of the cyber assault is to direct users searching for the very keywords to an infected WordPress blog that misleads them into downloading malware-laced ZIP files.

“Upon examining the site, the user is presented with a screen that has been created to look like a legitimate forum,” a Trend Micro researchers stated. “Users are led to enter the link so that the virus infected ZIP file can be downloaded.”

However, the JavaScript code used to haul off this trickery is injected into a proper JavaScript file at random sections on the compromised website.

This downloaded ZIP archive, for its part, also includes a JavaScript file that, upon implementation, employs obfuscation to evade analysis and is additionally used to establish tenacity on the machine by means of a planned task.

The implementation chain subsequently leads to a PowerShell script designed to recover files from a remote server for post-exploitation activity, which begins only after a waiting period that varies from a couple of hours to as long as two days.

“This deferral, which clearly separates the initial infection stage from the second phase, is a distinctive feature of Gootkit loader’s operation,” the researchers stated.

Once the wait time passes, two additional payloads are dropped – msdtc.exe and libvlc.dll – the ex of which is a legitimate VLC Media Player binary utilized to load the Cobalt Strike DLL component, observed by downloading more tools to facilitate finding.

“The hostile actors behind [Gootkit] are actively implementing their campaign,” the researchers told. “The dangers targeting specific job sectors, industries, and geographic regions are becoming more fierce.”