Gootkit Malware Campaign Expands SEO Poisoning To Target Australian Healthcare Sector

Category: Malware Campaign | Industries: Healthcare, Legal | Level: Tactical | Source: Trend Micro

Trend Micro researchers identified the distribution of Gookit malware loader through search engine optimization (SEO) poisoning has expanded to target Australian healthcare organizations. As revealed by Trend Micro in their analysis, the samples examined "targeted the keywords hospital, health, medical, and enterprise agreement," paired with Australian city names. Also targeted were names of specific healthcare providers across Australia. While continuously targeting the legal sector with the keyword "agreement, Gootkit loader has recently expanded its assaults to the healthcare industry." Users tricked in the attack, are navigated to an infected WordPress blog site, tricking them into downloading a malicious ZIP file.

The infection chain initiates with the execution of the JavaScript file contained in the ZIP file, and establishes persistence with a scheduled task, invoking a PowerShell script to download additional files. However, a waiting period of hours to days for the PowerShell script to execute and initiate the second stage of the infection. "This latency, which clearly separates the initial infection stage from the second stage, is a distinctive feature of the Gootkit loader's operation." Following the lapse in the wait time, a DLL file and a VLC Media Player executable file named 'msdtc.exe' are dropped. The VLC player executable is used to sideload the malicious DLL for Cobalt Strike. While the final payload of the attack wasn't observed, the operators were observed running reconnaissance with BloodHound, executing additional PowerShell Scripts and evidence for credential access.

Anvilogic Scenario:

• Malicious File Delivering Malware

Anvilogic Use Cases:

• Compressed File Execution
• Rare Remote Thread
• SharpHound Keywords

‍