Gootkit Loader Actively Targets Australian Healthcare Industry
Credential access
The file krb.txt was created by one of the injected processes that contains Kerberos hashes for several accounts. Given that we did not see any dumping activity in the process telemetry, the dumping process transpired in the memory; it did not introduce a new tool or an executable file to do the dumping.
Impact
The final payload is unknown for this case since we detected it and responded to it while it was in the middle of the infection chain.
Conclusion
Our monitoring of Gootkit loader activity that uses SEO poisoning has revealed that the malicious actors behind it are actively implementing their campaign. The threats targeting specific job sectors, industries, and geographic areas are becoming more aggressive. In addition to the continued targeting of the legal sector with the word “agreement”, we also found that the current operation has also clearly sharpened its targeting capability by including the words “hospital”, “health”, “medical”, and names of Australian cities.
The abuse of VLC Media Player by APT10 has been reported in the past, which might have brought attention to some security teams of such an abuse. DLL sideloading has become a classic method in APT operations, and it no longer comes as a surprise for threat researchers to find it being used in similar campaigns. However, the abuse of legitimate tools has become commoditized today and has been observed in non-APT operations as well.
To mitigate the impact of cyberthreats, it is necessary to know that these tactics and techniques are in the wild. In this case, search engine results might be contaminated to download malicious files by SEO poisoning, and legitimate tools might perform malicious behavior because they have been abused. Therefore, security teams should always consider the possibility of DLL sideloading or the injection of malicious code, as the abuse of legitimate tools has become commonplace.
Given that technical solutions are updated as new attack methods are discovered, we recommend security teams to configure their security solutions and follow industry best practices. Moreover, if there is a gap between the trending tactics and the technical solutions due to timing, the security team’s work, human observation, and decisions might be needed.
Even if an organization’s security solutions are configured correctly, there might be instances when this is not enough to ward off threats. Malicious actors can deploy new and more advanced variants of the malware using techniques that can evade detection, so your organization’s security operations center (SOC) team and threat analysts should be able to effectively spot any malicious activity in your network to address it in a timely manner.
Security recommendations
For targeted industries:
As noted in this blog, Gootkit loader is currently targeting the Australian healthcare industry in addition to the legal sector. It is not easy to escape the methods of an adversary, but in this case, it might be effective to inform users that this is the case.
Notifying people in the targeted legal sector and the Australian healthcare industry that their search results might be poisoned and training them by showing them the screenshots in Figures 2 and 3 might help mitigate damage. Along with this, security products must be properly configured and kept up to date.
For security teams:
When adversaries abuse a legitimate tool, the techniques they use can vary, but the malicious code must be prepared, loaded, and run. Legitimate tools themselves might be difficult to detect, but traditional antivirus software can detect the files containing malicious code, while extended detection and response (EDR) or human incident response can mitigate the impact by spotting it.
As we saw in this case, one such event is the detection of libvlc.dll, which was sideloaded by VLC Media Player. This type of DLL sideloading is usually performed by a code-signed process loading an unsigned, unknown DLL. Observations done in this context can also help security teams to address the threat.
The process injection of the wabmig.exe tool is also another noteworthy technique in this operation. For process injection, the malicious code does not exist as a standalone file but only in memory. Since wabmig.exe is a standard address book import tool that comes with Windows, it is not expected to be used frequently in modern enterprise environments. For this reason, consider the launch of wabmig.exe itself as an initial sign of abuse. Note that abuse of wabmig.exe for the usage of Cobalt Strike has also been reported in the Follina case from Microsoft.
For web administrators:
Meanwhile, web administrators should keep in mind that running a vulnerable WordPress site can result in being part of such a threat. Therefore, following the latest security best practices when building a website is crucial. As described in Hardening WordPress, do not get plug-ins or themes from untrusted sources. Restrict yourself to the WordPress.org repository or well-known companies. And, of course, make sure your plug-ins are always updated.
To know if your website is affected by this threat, look at the number of pages with words like “agreement” that are being generated. If your site has a number of pages with such content, this can be an indication that the site has been compromised and you should act promptly to contain any damage that the attack might have caused.
Trend Micro Solutions
We recommend security solutions that provide comprehensive protection for your enterprise to keep this and other threats at bay.
Trend Micro Vision One™ helps security teams gain an overall view of attempts in ongoing campaigns by providing them with a correlated view of multiple layers such as email, endpoints, servers, and cloud workloads. Security teams can gain a broader perspective and a better understanding of attack attempts and detect suspicious behavior that would otherwise seem benign when viewed from a single layer alone.
Trend Micro™ Managed XDR monitors and analyzes activity data from deployed Trend Micro XDR and protection solutions 24/7. Email, endpoint, server, cloud workload, and network sources are correlated for stronger detection and greater insight into the source and spread of complex targeted attacks.