Gootkit malware attack: Australian health care targeted

Gootkit, also known as Gootloader, can use search engine optimisation (SEO) spamming tactics when it is first used. It usually works by altering and abusing legitimate infrastructure and using these sites with common keywords.

Like other malware, Gootkit can steal data from the browser, perform AitB attacks, record keystrokes, take screenshots, and other malicious actions.

A recent wave of Gootkit malware download attacks targeted the Australian healthcare sector using legitimate tools such as VLC Media Player. The Australian Cyber ​​Security Center (ACSC) said it would review the results and contact relevant organisations if it found them at risk.

Results show that the keywords "hospital," "health," "medical," and "corporate contract" are associated with the names of several Australian cities, suggesting the spread of malware outside accounting and law firms.

Abuse of VLC Media Player

VLC Media Player, a widely used legitimate tool, is another critical feature of this attack. VLC Media Player is one of the most popular programs, with over 3.5 billion downloads for Windows alone. Similar abuses by APT10 have been reported in the past. The malware actors uploaded the following malicious DLL to the website to abuse and manipulate VLC Media Player as part of Cobalt Strike.

Gootkit Malware Attacks

The cyberattack aims to direct users searching for such keywords to an infected WordPress blog, tricking them into downloading zip files containing malware.

After leaving the site, the user is shown a screen that looks like a legitimate forum. Users are immediately directed to use the link to download a malicious ZIP file.

The JavaScript code used to perform this attack is inserted into a valid JavaScript file at random parts of the compromised website. The downloaded ZIP archive also contains a JavaScript file that, when executed, not only uses unclear terms to avoid analysis but is also used to determine machine persistence through a scheduled task.

The execution thread then leads to a PowerShell script designed to retrieve files from a remote server for a post-exploit operation, which starts only after waiting a few hours to two days.

This trend which separates the initial infection phase from the second phase, is a characteristic feature of the operation of the Gootkit loader.

After waiting, two more payloads are removed " msdtc.exe and libvlc.dll." The first payload is the legitimate VLC Media Player binary used to load the Cobalt Strike DLL component, followed by additional tools for discovery.

The malicious persons behind Gootkit are actively implementing their campaigns as threats against certain occupations, industries, and geographic areas are increasingly aggressive.

In conclusion, because technical solutions are updated as new attack methods are discovered, it is recommended that security teams tune their security solutions and follow industry best practices. In addition, if there is a gap between trend tactics and technical solutions due to time, human observation and decisions of the Security Team may be required.