The Gootkit malware attacks against the Australian healthcare sector have significantly increased recently. Researchers claimed that the malware operators had used legitimate tools like the VLC Media Player to spread their payload.
The Gootkit malware is notorious for employing SEO poisoning attacks for initial access. This malware usually infects and exploits legitimate infrastructure and plants targeted sites with common keywords.
Moreover, researchers noted that Gootkit or Gootloader could execute standard malware capabilities such as stealing data from browsers, performing AitB attacks, taking screenshots, keylogging, and other illegal activities.
The Gootkit malware operators use common keywords related to healthcare to expand their threat landscape.
An investigation revealed that the Gootkit malware actors use keywords such as health, medical, hospital, and enterprise agreement to expand their attack scope. The initial action of the attack is to redirect users who search for the earlier-mentioned keywords to an infected WordPress website.
Subsequently, the malware operators will attempt to deceive the users into downloading a malware-laden ZIP archive once they have accessed the compromised website.
Furthermore, the JavaScript code used by the actors to execute the attack is injected into a legitimate JS file at random sections on the compromised website.
The downloaded ZIP file also contains a JavaScript archive that does not employ obfuscation to bypass security analysis. However, it could further be used by threat actors to establish persistence on the targeted device through a scheduled task.
The execution method will lead to a PowerShell script developed by the actors to recover files from a remote server for post-exploitation activities.
The post-exploitation actions will start if the waiting period reaches about two hours or two days.
Once the time required for post-exploitation has elapsed, the malware on the compromised device will drop a couple more payloads. One of the two additional payloads is a legitimate VLC Media Player binary that the actors use to run the Cobalt Strike DLL component.
Experts claimed that the Gootkit operators are implementing their campaign, which they used against financial institutions and law firms, to their targeted healthcare sector. The group has aggressively targeted different organisations for the past few months.
