The Gootkit malware loader, known for its SEO poisoning techniques, has been observed targeting the Australian healthcare sector. The attackers involved also leveraged the genuine VLC Media Player tool in their recent campaign.
SEO poisoning for initial access
According to Trend Micro, the attack attempts to redirect users searching for specific keywords around the healthcare domain to an infected WordPress blog.
The blog is optimized for keywords ‘hospital’, ‘health’, ‘medical’, and ‘enterprise agreement’, and paired with different city names in Australia.
When users visit the blog, they are presented with a lookalike of some legitimate forum and fooled into downloading malware-laced ZIP files.
The downloaded ZIP archive includes a JavaScript file that employs obfuscation to avoid analysis and other post-exploitation tasks.
Introducing VLC Media Player
The execution chain further leads to a PowerShell that retrieves files from a remote server for post-exploitation. Further, it creates a scheduled task used to establish persistence in the system.
The scheduled task starts only after a waiting period, that ranges from a couple of hours to two days. This waiting period separates the initial infection stage from the second stage, which is a unique aspect of Gootkit’s operation.
Once the wait time is over, two additional payloads (msdtc[.]exe and libvlc[.]dll) are dropped.
The former is a genuine VLC Media Player binary used to load the second payload, a Cobalt Strike DLL component, via DLL sideloading.
Subsequently, several additional tools, including BloodHound, are downloaded to enable the discovery phase of the attack.
Conclusion
Several attackers are increasingly using legitimate tools and tainted DLL files to evade detection. Security teams in the healthcare sector of Australia must deploy/configure their security solutions to mitigate such threats while also implementing best security practices such as the use of secure loading of libraries.