Gootkit malware uses VLC to infect healthcare organizations with Cobalt Strike

Gootkit Loader malware attackers are conducting a new SEO poisoning attack that exploits VLC Media Player in order to infect Australian health care entities with Cobalt Strike beacons.

This campaign aims to use the Cobalt Strike Post-exploitation Toolkit to infect devices and allow initial access to corporate networks.

Remote operators have the ability to scan the network and move around laterally within the network. They can also steal files and passwords and use them as a way of deploying more harmful payloads like ransomware.

Gootkit Loader, also known as Gootloader was first to deliver Cobalt Strike last summer through a similar search engine result poisoning operation.

The ransomware infection . In 2020, the malware returned to the web through an .

Google Search Results Poisoning

A new report from explains how Gootloader used SEO poisoning in its recent campaign to insert malicious websites into Google search results. This was done to target Australia’s healthcare sector.

This campaign was launched in October 2022. It achieved high rankings in search results when it came to medical keywords such as “agreement”, hospital”, health, and “medical”, combined with Australian cities names.

Cybercriminals use SEO poisoning to create many fake websites that contain links to their threat actors’ sites.

These legitimate websites are indexed by search engine spiders who will then add the URL to search engine results. These search terms rank highly in Google search results as seen below.

Malicious search results from current Gootloader campaign


​Source: Trend Micro

Gootkit uses JavaScript scripts to inject fake Q&A forums onto visitors who arrive at their sites from search engines.

Fake Q&A forums may contain “answers” to questions that link to related searched-for resources such as a Word document or agreement template. These links can infect users’ computers with malware.

Fake Q&A forum on hacked website


​Source: Trend Micro

Malware loaders have used a similar strategy extensively, as in the starting February 20,22. The operators used Zoom and TeamViewer search terms to poison results.

Planting Cobalt Strike beacons

The latest Gootloader campaign sees threat actors using a link to a direct download for what they claim is a template agreement regarding healthcare within a ZIP file.

The ZIP archive includes the Gootkit components as a JS file. When launched, it drops a PowerShell command that can be executed to further infect the device.

Gootloader’s latest attack chain


​Source: Trend Micro

The malware then downloads the’msdtc.exe.’ and the ‘libvlc.dll.exe. Second stage: This is the time when the virus infects the command and control servers of Gootloader.

This executable contains a signed and legitimate copy of VLC Media Player, disguised to be the Microsoft Distributed Transaction Coordinator service (MSDTC). Named after the legitimate VLC file that is required to allow the media player start, but with an embedded Cobalt Strike module.

The VLC executable launches using a DLL side loading attack. This allows it to load malicious DLLs in the context of trusted processes.

The VLC executable then spawns two processes, wabmig.exe and dllhost.exe. These are responsible for the Cobalt Strike beacon activity.

Processes spawned by the VLC executable


​Source: Trend Micro

The threat actors used Cobalt Strike to load ‘PSHound.ps1″ and’soo.ps1’ for network surveillance. They connected to machines through ports 389, 445 and 3268 and then dumped Kerberos hashes from several accounts onto a text file called ‘krb.txt.

Cobalt Strike can be a prelude to ransomware, however Trend Micro didn’t get the chance to catch the payload in this case.

. This vulnerability is believed to have resulted in the .

It can be difficult to avoid being sucked in by these poisoning search results.

The best way to prevent infection is to download only files from trustworthy sources

It is a good idea to download any file and check it for malware before you execute it.