Read Time:1 Minute, 31 Second
The cybercriminal gang behind the Gootkit malware has resurfaced recently in a malicious campaign targeting Australian healthcare organisations.
Researchers first discovered Gootkit as a banking Trojan in 2014. According to recent reports, the company’s “operators now seem to provide access as a service, with the odd feature of running infection campaigns specifically targeted at certain geographic areas.”
Many people believed the Gootkit malware was defeated in 2019 when a security researcher discovered two publicly accessible MongoDB instances that seemed to be a part of the Gootkit network. However, this belief was disproved in 2020 when reports surfaced of a campaign allegedly targeting German victims for REvil ransomware infection.
Trend Micro researchers claim to have discovered Gootkit operators using deceptive SEO strategies to entice new victims by searching Google for terms like “hospital,” “health,” “medical,” and “enterprise agreement,” along with Australian city names.
When a victim clicks on a site that appears to give a sample contract for a midwife, the Gootkit operators will require them to download a zip file.
Malicious JavaScript was present in the zip file. Still, Gootkit once more added a unique twist to the standard hacking script by delaying the execution of the second stage of infection for several hours or even days. This latency “clearly differentiates the first infectious stage from the second stage.”
The second step required downloading a file from a command-and-control server that mimicked the VLC Media Player that loads a Cobalt Strike-related module that establishes persistence.
Despite not claiming that the Gootkit campaign was responsible for the Medibank attack, Trend Micro notes that the “recent campaign might remind us of this incident.”
This campaign is alarming as malicious actors increasingly focus their efforts on the healthcare industry, which is often ill-prepared to defend against such attacks.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
