Beware! Gootkit Loader Malware Using VLC Player to Deliver Malicious Payloads

Trend Micro researchers recently reported that Australian healthcare entities were infected with a Cobalt Strike beacon after a new SEO poisoning campaign has been launched by Gootkit loader malware operators who use VLC Media Player to infect them.

Gaining initial access to corporate networks by deploying the Cobalt Strike post-exploitation toolkit is the primary aim of this malicious campaign, and this is done by deploying the malicious toolkit on infected devices.

The following illicit tasks can be performed by remote operators:-

  • Network scans
  • Move laterally throughout the network
  • Steal account credentials and files
  • Deploy more dangerous payloads

A similar search engine result poisoning campaign was launched last summer by the Gootkit loader, also known as Gootloader. A collaboration with the REvil gang in 2020 resulted in the malware returning to the headlines as a result of the Gootloader being associated with ransomware infections in the past.

EHA

Abusing VLC Player

One of the key characteristics of this attack is its abuse of VLC Media Player, which is widely used as a legitimate application. 

With more than 3.5 billion downloads of VLC Media Player for the Windows operating system alone makes it is one of the most popular pieces of software out there.

There have been reports in the past that APT10 has also engaged in similar abuses. In order to exploit VLC Media Player and manipulate it as part of Cobalt Strike, the malware authors sideloaded the following malicious DLL to use it for their malicious purposes:-

  • msdtc.exe (renamed “VLC Media Player” and a legitimate file)
  • libvlc.dll (malicious, detected as Trojan.Win64.COBEACON.SWG)

SEO Poisoning

To target the Australian healthcare industry, Gootloader recently launched a campaign to avoid Google’s spam filters by inserting false reviews around Google’s search results with links to its malicious websites with the help of SEO poisoning.

As a result of the campaign, several medical-related keywords combined with Australian city names were ranked highly in search engine results in October 2022, including the following:-

  • Agreement
  • Hospital
  • Health
  • Medical

A technique used by cybercriminals that include the posting of many posts on many legitimate websites, all of which contain links to the threat actor’s website, is known as SEO poisoning.

It is very likely that search engines will index these legitimate sites and include them in search engine results for associated keywords as soon as they see the same URL repeatedly. 

This results in a very high ranking for these terms in Google search results, because of the popularity of these search terms.

In most cases, the websites that Gootkit uses are hacked websites that are commonly used by hackers. Visitors coming from search engines are displayed fake Q&A forums via these hacked sites injected with malicious JavaScript scripts.

There are fake Q&A forums that, in addition to containing fake answers to real questions, also contain links to resources related to the questions being asked. The problem with these links is that they can infect users’ devices with malware.

Additional Tools

Here below we have mentioned the additional tools used:-

  • PSHound.ps1: Detected as HackTool.PS1.BloodHound.C for SharpHound and executed via Cobalt Strike.
  • soo.ps1: Detected as Trojan.Win32.FRS.VSNW0EK22
  • Multiple outbound connections to internal machines toward ports 389, 445, and 3268
  • Port 445: Remote network share SMB
  • Port 389, 3268: LDAP ports

Deploying the Cobalt Strike beacons

During the latest Gootloader campaign, the threat actors have been using a direct download link within a ZIP archive to offer a document template that appears to be related to healthcare.

A JS file is included in this ZIP archive that contains the components of the Gootkit loader. Whenever this file is run, it drops a PowerShell script which it is then instructed to execute, which downloads more malware to the device once it has been launched.

It is at this point in time that the malware downloads the following files via its command and control servers, as well as those associated with the Gootloader campaign:-

  • msdtc.exe
  • libvlc.dll

An executable file that appears to be the MSDTC service is a legitimate and signed version of the VLC media player disguised in order to appear as the player.

An infection with the Cobalt Strike module is laced into the DLL that is called after the file to start the media player, which is named after a legitimate VLC file.

Consequently, the VLC executable spawns two processes in order to accomplish the further task: –

  • dllhost.exe 
  • wabmig.exe

There are activities associated with Cobalt Strike beacons hosted here. This type of attack is usually carried out prior to a ransomware attack once Cobalt Strike is detected. 

However, the researchers at Trend Micro did not have any opportunity to collect the final payload in this case, which is why it could not be observed.

Recommendation

The problem, however, is that it can be very difficult to avoid being tricked by these poisoning campaigns when they occur.

As a result, the best way to ensure that you do not become infected is to follow the security advises recommended by the experts and here we have mentioned them below:-

  • Make sure only trusted sources are used for downloading files.
  • For a better view of the actual filename, you will need to enable file extensions.
  • Do not click on any files with dangerous extensions if you do not know what they are.
  • Before executing any downloaded file, it is strongly recommended to upload it to VirusTotal to determine whether it is malicious.

Network Security Checklist – Download Free E-Book

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.