Gootkit Loader Actively Targets Australian Healthcare Industry

MITRE Techniques

• [T1189] Drive-by Compromise – Drive-by compromise via SEO poisoning to obtain initial access. ‘Known for using search engine optimization (SEO) poisoning for its initial access’.
• [T1574.002] DLL Side-Loading – Abuse of legitimate VLC components by loading a malicious DLL; ‘msdtc.exe (renamed “VLC Media Player” and a legitimate file)’ and ‘libvlc.dll’ (malicious).
• [T1059.001] PowerShell – Execution chain includes PowerShell; ‘Scheduled task → wscript.exe → cscript.exe → PowerShell’.
• [T1053.005] Scheduled Task – Persistence via scheduled task creation; ‘The goal of the first stage of infection is to set a scheduled task for persistence’.
• [T1071.001] Web Protocols – C2 communication over web protocols; ‘C&C access is performed from the PowerShell’ and multiple URL endpoints.
• [T1021.002] SMB/Windows Admin Shares – Lateral movement to internal machines via SMB with outbound connections to ports 389, 445, and 3268. ‘Multiple outbound connections to internal machines toward ports 389, 445, and 3268’.
• [T1027] Obfuscated/Compressed Files and Information – Heavy obfuscation in large JavaScript payloads; ‘the second anonymous function uses numbers, lowercase letters (from a to z), and uppercase letters (from A to Z) for obfuscation….’
• [T1055] Process Injection – Malicious code execution via process injection using wabmig.exe and dllhost.exe; ‘process injection and then became a beacon for Cobalt Strike’.
• [T1003] OS Credential Dumping – Kerberos hashes observed in memory; ‘krb.txt was created by one of the injected processes that contains Kerberos hashes’.