Cybercrime as-a-service , Fraud Management & Cybercrime , Ransomware

Gootkit Malware Found Targeting Australian Healthcare Sector

Access-as-a-Service Operators Use SEO Poisoning to Find Victims
Gootkit Malware Found Targeting Australian Healthcare Sector
Image: Shutterstock

The criminal gang behind Gootkit malware resurfaced through a campaign aimed at the Australian healthcare industry.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

Some version of Gootkit has existed since 2014, when researchers first spotted it functioning as a banking Trojan. More recently, its operators appear to offer access as a service, with the unusual characteristic of geographically targeted infection campaigns. In 2019, a security researcher found two publicly accessible MongoDB instances that appeared to be part of the Gootkit network, leading many to assume the malware was finished - an assumption demolished with a reported campaign in 2020 targeting German victims for infection with REvil ransomware.

Researchers at Trend Micro now say they spotted Gootkit operators using malicious search engine optimization techniques to lure in new victims searching Google for terms such as hospital, health, medical and enterprise agreement - paired with Australian city names.

During the second half of 2022, Australia experienced a wave of data breaches, including a ransomware attack at the hands of Russian hackers against the country's largest private health insurer (see: Australia Blames Russian Hackers for Medibank Hack).

Trend Micro doesn't assert the Gootkit campaign is behind the Medibank hack but says that the "recent campaign might remind us of this incident."

The campaign worked by boosting the search engine result page position of malicious websites through SEO poisoning and bringing potential victims to websites dressed up as legitimate forums, complete with bogus questions and responses. Gootkit operators wanted victims to download a zip file by clicking on a link purporting to offer a model contract for a midwife. Gootkit in this campaign particularly liked the search term "agreement," the Trend Micro researchers write.

The zip file, of course, contained malicious JavaScript, but Gootkit again offered a distinctive twist to the usual hacking script by waiting several hours, if not days, until carrying out the second stage of infection. That latency "clearly separates the initial infection stage from the second stage."

The second stage involved downloading a file from the command-and-control server that impersonates the VLC Media Player, a well-known open source media player that users have downloaded more than 3 billion times. The false VLC Media Player executable file loads a module related to Cobalt Strike that establishes persistence.

Both VLC Media Player and Cobalt Strike are legitimate applications, but as Trend Micro says, the "abuse of legitimate tools has become a common practice."

Researchers say they don't know what the intended final payload was, since they interrupted the infection chain before its completion. When hackers use Cobalt Strike, it is very often a precursor to ransomware.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.