Trend Micro detects Gootkit Loader targeting Australian healthcare organizations

Trend Micro reveals Gootkit Loader (aka Gootloader) resurfaced in a recent spate of attacks on organizations in the Australian healthcare industry. It determined that Gootkit malware leveraged SEO (search engine optimization) poisoning for its initial access and abused legitimate tools like VLC Media Player. Additionally, to push the infection to the next phase of the routine, Gootkit Loader abused VLC Media Player, a legitimate product also used by APT10.

The firm reached out to the Australian Cyber Security Center (ACSC) in early December 2022 and shared its findings. “In response, ACSC said that it would review the findings and communicate with the organizations involved if it found that these had been compromised,” Trend Micro researchers wrote in a company blog post.

In December, the ACSC issued a security alert on the Gootkit Loader that continues to be used on multiple Australian networks. The agency provided technical analysis and indicators of compromise derived from identified Gootkit JavaScript loaders on Australian networks in 2021 and 2022.

The agency noted in its advisory that “malicious JavaScript samples were obfuscated in several stages. Once unpacked, Gootkit malware was retrieved. Open-source reporting indicates that Gootkit JS Loaders are a precursor to several malware families traditionally used for cybercrime, notably, Gootkit, REvil ransomware, Kronos, or CobaltStrike. The JavaScript-based obfuscated loader shares capability with various other JS Downloaders identified in open-source reporting. Users are targeted based on specific ‘search-engine query de-optimisations,’” it added.

The samples examined by Trend Micro targeted the keywords ‘hospital,’ ‘health,’ ‘medical,’ and ‘enterprise agreement,’ coupled with names of Australian cities. In addition, names of specific healthcare providers across Australia were also targeted. While continuously targeting the legal sector with the keyword ‘agreement,’ Gootkit loader has recently expanded its assaults to the healthcare industry.

Citing an example of the use of SEO poisoning targeting the Australian healthcare industry, the Trend Micro researchers identified that in October 2022, a private health insurance company in Australia reported a cyberattack resulting in a breach of approximately 9.7 million customer data. 

“Although the recent campaign might remind us of this incident, the technique the malicious actors used in the initial access to the insurance company’s attack was not disclosed in its official website report. As well, there is no evidence to suggest a possible link between the two campaigns, as dummy content for SEO poisoning might have been hosted prior to the attack on the Australian healthcare organizations,” they added.

On the abuse of VLC Media Player, Trend Micro said that the malware authors sideloaded a malicious DLL to abuse VLC Media Player and manipulated it as a part of Cobalt Strike. “Neither were originally installed on the victim’s computer but were introduced by the malicious actor in the infection chain,” it added.

The researchers added that sites that direct users to download malicious files due to SEO poisoning look like legitimate WordPress sites that have been compromised and abused. “Twitter user @GootLoader Sites pointed out that some compromised sites have already been abused for this purpose and that there is an analysis evasion mechanism.  We have indeed observed analysis evasion in the samples. The compromised site hosts several pages containing words characteristic of those used for SEO poisoning,” they added. 

The post also said that users unwittingly open the URL of a contaminated search result, and once they access the counterfeit forum screen, they find that it displays SEO content when they access the same URL for a while. 

Trend Micro said that the second stage of infection takes place after the waiting time. “While waiting, the scheduled task performed approximately two C&C accesses per day, with no additional processes executed after the C&C accesses. We observed the waiting time to be several hours and in some cases, two days. This latency, which clearly separates the initial infection stage from the second stage, is a distinctive feature of Gootkit Loader’s operation.” 

Currently, operations in the second stage observed at the same season are similar. Therefore, it does not appear, for now, that multiple threat actors are entering the operation from this second stage, the post added.

Trend Micro also took a closer look at the processes, particularly dllhost[dot]exe and wabmig[dot]exe, and found that they were spawned from the abused VLC Media Player that became the host to malicious code execution through process injection and then became a beacon for Cobalt Strike and its subsequent activities.

“The abuse of legitimate tools has become a common practice, likely aiming for effects such as misleading, misunderstanding, and being overlooked as power-consuming from the human perspective, as well as evading detection by antiviruses (both pattern detection and behavior monitoring) from the technical perspective,” the researchers added.

The researchers said that the obfuscation technique is used for evading analysis but also a useful way to help identify malicious actors. The obfuscation methods used in the samples also show features of current activities of Gootkit Loader, which will help security teams to detect this threat.

The researchers said that obfuscation is a technique used for evading analysis but also a useful way to help identify malicious actors. “The obfuscation methods used in the samples also show features of Gootkit Loader’s current activities, which will help security teams to detect this threat,” they added.

Addressing credential access, the Trend Micro researchers said that the file krb[dot]txt was created by one of the injected processes that contains Kerberos hashes for several accounts. “Given that we did not see any dumping activity in the process telemetry, the dumping process transpired in the memory; it did not introduce a new tool or an executable file to do the dumping. The final payload is unknown for this case since we detected it and responded to it while it was in the middle of the infection chain,” they added.

Trend Micro recommended that to mitigate the impact of cyberthreats, it is necessary to know that these tactics and techniques are in the wild. “In this case, search engine results might be contaminated to download malicious files by SEO poisoning, and legitimate tools might perform malicious behavior because they have been abused. Therefore, security teams should always consider the possibility of DLL sideloading or the injection of malicious code, as the abuse of legitimate tools has become commonplace.” 

Given that technical solutions are updated as new attack methods are discovered, Trend Micro recommends security teams configure their security solutions and follow industry best practices. Moreover, if there is a gap between the trending tactics and the technical solutions due to timing, the security team’s work, human observation, and decisions might be needed.

Despite ensuring adequate security measures are in place, organizations may still find themselves vulnerable to security threats at times. Hackers can deploy new and more advanced variants of the malware using techniques that can evade detection. Thus, it is essential for organizations to have a security operations center (SOC) team, and threat analysts that can identify any possible malicious activity in the system and take appropriate steps to mitigate it promptly.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.