A recent wave of Gootkit malware loader attacks has targeted the Australian healthcare sector by leveraging legitimate tools like VLC Media Player.
Gootkit, also called Gootloader, is known to employ search engine optimization (SEO) poisoning tactics (aka spamdexing) for initial access. It typically works by compromising and abusing legitimate infrastructure and seeding those sites with common keywords.
Like other malware of its kind, Gootkit is capable of stealing data from the browser, performing adversary-in-the-browser (AitB) attacks, keylogging, taking screenshots, and other malicious actions.
Trend Micro’s new findings reveal that the keywords “hospital,” “health,” “medical,” and “enterprise agreement” have been paired with various city names in Australia, marking the malware’s expansion beyond accounting and law firms.
The starting point of the cyber assault is to direct users searching for the same keywords to an infected WordPress blog that tricks them into downloading malware-laced ZIP files.
“Upon accessing the site, the user is presented with a screen that has been made to look like a legitimate forum,” Trend Micro researchers said. “Users are led to access the link so that the malicious ZIP file can be downloaded.”