Gootkit loader malware operators are conducting a new SEO poisoning campaign that abuses VLC Media Player to infect Australian healthcare entities with Cobalt Strike beacons.
The goal of the campaign is to deploy the Cobalt Strike Post-Exploitation Toolkit to infected devices for initial access to corporate networks.
From there, remote operators can perform network scans, move laterally through the network, steal credentials and account files, and deploy more dangerous payloads such as ransomware.
Gootkit loader popularly known as Gootloader started delivering Cobalt Strike on systems last summer in a similar campaign of poisoning search engine results.
Gootloader has been associated with ransomware infections several timeswith the malware returning in 2020 via a high-profile profile collaboration with the REvil gang.
Google search results poisoning
In a new report from Trend MicroResearchers explain that Gootloader’s recent campaign uses SEO poisoning to inject its malicious websites into Google search results to target the Australian healthcare industry.
The campaign started in October 2022 and managed to rank at the top of search results for medicine-related keywords, such as “agreement”, “hospital”, “health” and “medical” combined with names of Australian cities.
SEO poisoning is a tactic that cybercriminals employ, creating numerous posts on many legitimate sites that include links to the threat actor’s websites.
As search engines index these legitimate sites and see the same URL over and over, they will add them to search engine results for related keywords. As a result, these search terms often rank quite high in Google search results, as shown below.
These fake Q&A forums will contain an “answer” to a question that links to the related searched resources, such as a template agreement or a Word document. However, these links are malware that infect users’ devices.
A similar tactic has been widely used by malware loaders, as in this Batloader and Atera Agent Campaign starting in February 2022, where operators used the search terms Zoom, TeamViewer and Visual Studio to poison results.
Plant Cobalt Strike Beacons
In the latest Gootloader campaign, threat actors are using a direct download link for what is purported to be a template healthcare-related agreement document in a ZIP archive.
This ZIP archive contains the components of the Gootkit loader in the form of a JS file which, when launched, drops a PowerShell script which is then executed to download other malware onto the device.
In the second stage of infection, the malware downloads “msdtc.exe” and “libvlc.dll” from the Gootloader command and control servers.
The executable is a legitimate, signed copy of the VLC media player masked to appear as a Microsoft Distributed Transaction Coordinator (MSDTC) service. The DLL is named after a legitimate VLC file required for starting the media player, but is associated with a Cobalt Strike module.
When the VLC executable is launched, it uses a DLL-side loading attack to load the malicious DLL in the context of a trusted process.
This causes the VLC executable to spawn two processes, dllhost.exe and wabmig.exe, which host Cobalt Strike beacon activities.
Using Cobalt Strike, threat actors loaded ‘PSHound.ps1’ and ‘soo.ps1’ for network monitoring, connected to machines via ports 389, 445, and 3268, and flushed the Kerberos hashes for multiple accounts on a text file (‘krb.sms’).
Cobalt Strike is usually a precursor to ransomware attacks, but in the case observed by Trend Micro, researchers did not have the opportunity to capture the final payload.
A DLL sideloading vulnerability in VLC Media Player has been used in attacks by Chinese state-sponsored hackers. These vulnerabilities are believed to have led to the media player banned in india.
Unfortunately, it can be hard to avoid getting suckered into one of these search poisoning campaigns.
Ultimately, the best way to avoid getting infected is to only download files from trusted sources, enable file extensions so you can see the actual filename and avoid clicking on files with dangerous extensions.
Moreover, it is advised to upload any file uploaded to VirusTotal to check for malicious behaviors before executing it.