Gootkit malware abuses VLC to contaminate healthcare orgs with Cobalt Strike

The Gootkit loader malware operators are working a brand new search engine optimization poisoning marketing campaign that abuses VLC Media Participant to contaminate Australian healthcare entities with Cobalt Strike beacons.

The marketing campaign purpose is to deploy the Cobalt Strike post-exploitation toolkit on contaminated gadgets for preliminary entry to company networks.

From there, the distant operators can carry out community scans, transfer laterally all through the community, steal account credentials and information, and deploy extra harmful payloads similar to ransomware.

Gootkit loader, extra generally often known as Gootloader, started delivering Cobalt Strike on methods last summer in an identical search engine end result poisoning marketing campaign.

Gootloader has been related to ransomware infections several times, with the malware coming again in 2020 by means of a high-profile collaboration with the REvil gang.

Poisoning Google search outcomes

In a brand new report by Trend Micro, researchers clarify that Gootloader’s latest marketing campaign makes use of search engine optimization poisoning to inject its malicious web sites into Google search outcomes to focus on the Australian healthcare business.

The marketing campaign began in October 2022 and managed to rank extremely in search outcomes for medical-related key phrases, similar to “settlement”, “hospital”, “well being”, and “medical” mixed with Australian metropolis names.

search engine optimization poisoning is a tactic that cybercriminals make use of, creating many posts on many reputable websites that embrace hyperlinks to the menace actor’s web sites.

As search engine spiders index these reputable websites and see the identical URL repeatedly, they’ll add them to the search engine outcomes for related key phrases. In consequence, these search phrases usually rank fairly extremely in Google search outcomes, as proven beneath.

The websites utilized by Gootkit are generally hacked web sites with JavaScript scripts injected to show pretend Q&A boards to guests coming from search engine outcomes. 

These pretend Q&A boards will include an “reply” to a query that hyperlinks to related searched-for sources, similar to an settlement template or Phrase doc. Nevertheless, these hyperlinks are malware that infects customers’ gadgets.

The same tactic has been employed extensively by malware loaders, like on this Batloader and Atera Agent campaign from February 2022, the place the operators used Zoom, TeamViewer, and Visible Studio search phrases to poison the outcomes.

Planting Cobalt Strike beacons

Within the newest Gootloader marketing campaign, the menace actors use a direct obtain hyperlink for what’s supposedly a healthcare-related settlement doc template inside a ZIP archive.

This ZIP archive incorporates the Gootkit loader elements within the type of a JS file that, when launched, drops a PowerShell script that’s then executed to obtain additional malware on the system.

On the second stage of the an infection, the malware downloads ‘msdtc.exe’ and ‘libvlc.dll’ from the Gootloader command and management servers.

The executable is a reputable and signed copy of the VLC media participant masked to seem because the Microsoft Distributed Transaction Coordinator (MSDTC) service. The DLL is called after a reputable VLC file required for the media participant to begin however is laced with a Cobalt Strike module.

When the VLC executable is launched, it makes use of a DLL-side loading assault to load the malicious DLL within the context of a trusted course of.

This causes the VLC executable to spawn two processes, dllhost.exe and wabmig.exe, which host the Cobalt Strike beacon actions.

Utilizing Cobalt Strike, the menace actors loaded ‘PSHound.ps1’ and ‘soo.ps1’ for community surveillance, linked to machines by way of ports 389, 445, and 3268, and dumped Kerberos hashes for a number of accounts on a textual content file (‘krb.txt’).

Cobalt Strike is normally a precursor to ransomware assaults, however within the case noticed by Pattern Micro, the researchers did not have the chance to seize the ultimate payload.

A DLL side-loading vulnerability in VLC Media Participant was used in attacks by Chinese language state-sponsored hackers. These vulnerabilities are believed to have led to the media player being banned in India.

Sadly, getting tricked by certainly one of these search end result poisoning campaigns might be arduous to keep away from.

In the end, the easiest way to keep away from being contaminated is to solely obtain information from trusted sources, enable file extensions so you’ll be able to see the precise filename, and keep away from clicking on information with harmful extensions.

Moreover, it’s suggested to add any downloaded file to VirusTotal to verify for malicious habits earlier than executing it.