Gootkit Malware Found Targeting Australian Healthcare SectorAccess-as-a-Service Operators Use SEO Poisoning to Find Victims
The criminal gang behind Gootkit malware resurfaced through a campaign aimed at the Australian healthcare industry.
Some version of Gootkit has existed since 2014, when researchers first spotted it functioning as a banking Trojan. More recently, its operators appear to offer access as a service, with the unusual characteristic of geographically targeted infection campaigns. In 2019, a security researcher found two publicly accessible MongoDB instances that appeared to be part of the Gootkit network, leading many to assume the malware was finished - an assumption demolished with a reported campaign in 2020 targeting German victims for infection with REvil ransomware.
Researchers at Trend Micro now say they spotted Gootkit operators using malicious search engine optimization techniques to lure in new victims searching Google for terms such as hospital, health, medical and enterprise agreement - paired with Australian city names.
During the second half of 2022, Australia experienced a wave of data breaches, including a ransomware attack at the hands of Russian hackers against the country's largest private health insurer (see: Australia Blames Russian Hackers for Medibank Hack).
Trend Micro doesn't assert the Gootkit campaign is behind the Medibank hack but says that the "recent campaign might remind us of this incident."
The campaign worked by boosting the search engine result page position of malicious websites through SEO poisoning and bringing potential victims to websites dressed up as legitimate forums, complete with bogus questions and responses. Gootkit operators wanted victims to download a zip file by clicking on a link purporting to offer a model contract for a midwife. Gootkit in this campaign particularly liked the search term "agreement," the Trend Micro researchers write.
The second stage involved downloading a file from the command-and-control server that impersonates the VLC Media Player, a well-known open source media player that users have downloaded more than 3 billion times. The false VLC Media Player executable file loads a module related to Cobalt Strike that establishes persistence.
Both VLC Media Player and Cobalt Strike are legitimate applications, but as Trend Micro says, the "abuse of legitimate tools has become a common practice."
Researchers say they don't know what the intended final payload was, since they interrupted the infection chain before its completion. When hackers use Cobalt Strike, it is very often a precursor to ransomware.