SELL FASTER BUY SMARTER SEARCH SHOP ADVERTS


SCROll DOWN TO SEE FORM TO POST ..SCROll DOWN TO SEE FORM TO POST
++MAP OR ENTER BELOW

THN

Australian Healthcare Sector Targeted in Latest Gootkit Malware Attacks

Jan 11, 2023Ravie LakshmananHealthcare / Cyber Threat

Gootkit Malware Attacks

A wave of Gootkit malware loader attacks has targeted the
Australian healthcare sector by leveraging legitimate tools like
VLC Media Player.

Gootkit[1], also called Gootloader,
is known[2]
to employ[3]
search engine optimization (SEO) poisoning tactics (aka spamdexing)
for initial access. It typically works by compromising and abusing
legitimate infrastructure and seeding those sites with common
keywords.

Like other malware of its kind, Gootkit is capable of stealing
data from the browser, performing adversary-in-the-browser (AitB)
attacks, keylogging, taking screenshots, and other malicious
actions.

Trend Micro’s new findings[4]
reveal that the keywords “hospital,” “health,” “medical,” and
“enterprise agreement” have been paired with various city names in
Australia, marking an malware’s expansion beyond accounting and law
firms.

The starting point of the cyber assault is to direct users
searching for the same keywords to an infected WordPress blog that
tricks them into downloading malware-laced ZIP files.

“Upon accessing the site, the user is presented with a screen
that has been made to look like a legitimate forum,” Trend Micro
researchers said. “Users are led to access the link so that the
malicious ZIP file can be downloaded.”

Gootkit Malware Attacks

What’s more, the JavaScript code that’s used to pull off this
trickery is injected into a valid JavaScript file at random
sections on the breached website.

The downloaded ZIP archive, for its part, also contains a
JavaScript file that, upon execution, not only employs obfuscation
to evade analysis, but is further used to establish persistence on
the machine by means of a scheduled task.

The execution chain subsequently leads to a PowerShell script
that’s designed to retrieve files from a remote server for
post-exploitation activity, which commences only after a waiting
period that ranges from a couple of hours to as long as two
days.

“This latency, which clearly separates the initial infection
stage from the second stage, is a distinctive feature of Gootkit
loader’s operation,” the researchers said.

Once the wait time elapses, two additional payloads are dropped
– msdtc.exe and libvlc.dll – the former of which is a legitimate
VLC Media Player binary that’s used to load the Cobalt Strike DLL
component, followed by downloading more tools to facilitate
discovery.

“The malicious actors behind [Gootkit] are actively implementing
their campaign,” the researchers said. “The threats targeting
specific job sectors, industries, and geographic areas are becoming
more aggressive.”

Found this article interesting? Follow us on Twitter [5]
and LinkedIn[6]
to read more exclusive content we post.

References

  1. ^
    Gootkit
    (thehackernews.com)
  2. ^
    known
    (securelist.com)
  3. ^
    employ
    (redcanary.com)
  4. ^
    new
    findings     (www.trendmicro.com)
  5. ^
    Twitter
     (twitter.com)
  6. ^
    LinkedIn
    (www.linkedin.com)

Read more

.An African People Search Engine Business directory and Entertainment Portal . Powered by The Swordpress Blog and the folks @ ojoojoo.com and Dotifi Web hosting

Submit A Place
Help Us Review This SwordPress !

RSS Latest News

Post Views: 647
[activity-stream]
THE HITCH hikers guide to Nigeria JobScout | Developed By Rara Theme. Powered by WordPress.
Get Mobile App Get Mobile App
Get Mobile App

Add a new location

Edit Location

Add up to 5 images to create a gallery for this location.

×