The campaign includes SEO poisoning, and the Gootkit loader malware tab, and targets victims searching for healthcare institutions in Australia.
Trend Micro spotted the attack and described how the threat actors created a malicious website, designed to look like a forum, where a user shared a healthcare-related agreement document template inside a ZIP archive in response to a query.
To get the website to rank high on Google, they “poisoned” the search engine results pages by adding the link to the malicious site in social media posts.
By creating heavily linked sites, Google’s algorithm perceives it as authoritative and pushes it higher on its results pages.
In this campaign, the researchers found the malicious website ranking highly for medical-related keywords such as “hospital”, “health”, “medical”, and “agreement” - paired with the names of cities in Australia.
Victims that fall for the trick and download the malicious ZIP archive onto their endpoints would get Gootkit loader components which later drop a PowerShell script that downloads more malware onto the target device. Among the files is a legitimate, signed copy of the VLC media player and a malicious DLL file that, when triggered, deploys the Cobalt Strike beacon.
The VLC media player file is the Microsoft Distributed Transaction Coordinator (MSDTC) service. If the user runs it, VLC will look for the DLL file and run it, infecting the device in what’s generally known as a side-loading attack.
Cobalt Strike is a commercial pen-testing tool allowing the user to deploy an agent named ‘Beacon’ on the victim machine. Cybercriminals use it to scan the target network, move laterally, steal passwords and other sensitive data, and deploy more devastating malware. Cobalt Strike beacons are often followed up with a ransomware attack.