Malware Activity
New SEO Poisoning Campaign Utilizing "Gootkit" Malware Loader Targets the Australian Healthcare Sector
The operators of the "Gootkit" malware loader (otherwise known as "Gootloader") have started a new search engine optimization (SEO) poisoning campaign targeting Australian healthcare organizations. This campaign leverages VLC Media Player in order to deploy the post-exploitation toolkit Cobalt Strike onto compromised machines in order to establish initial access into the corporate networks. Trend Micro researchers detailed that the campaign began in October of 2022 and was able to rank highly in Google's search results for medical-related keywords, including "enterprise agreement", "hospital", "medical", and "health" when combined with Australian city names. The websites commonly used in Gootkit campaigns are compromised sites with JavaScript injected to display fraudulent Q&A forums containing links to the malware. The threat actors in this latest campaign are utilizing "a direct download link for what is supposedly a healthcare-related agreement document template inside a ZIP archive." Once the archive is opened by a victim and the JavaScript file is launched, the Gootkit loader malware is downloaded to the machine. The malware downloads an executable that is a legitimate and signed copy of VLC Media Player that is disguised as the Microsoft Distributed Transaction Coordinator (MSDTC) service. The malware also downloads a dynamic linked library (DLL) that is embedded with the Cobalt Strike module. When the executable is launched, a DLL side-loading attack commences that leads to a PowerShell script initiating the final execution chain events that allow the actors to "perform network scans, move laterally throughout the network, steal account credentials and files, and deploy more dangerous payloads such as ransomware." It should be noted that the PowerShell script retrieves data only after a waiting period of a few hours to roughly two (2) days, which is "a distinctive feature of Gootkit loader's operation." Technical analysis as well as indicators of compromise (IOCs) can be viewed in Trend Micro's report linked below.
Threat Actor Activity
Threat Profile: Dark Pink
An emerging threat organization has shown their presence after targeting military and government organizations throughout Europe and the Asia-Pacific region. Tracked as Dark Pink, this organization has been reportedly active since mid-2021 and is currently not attributed to any other threat affiliates. Activity from Dark Pink actors significantly increased through the back half of 2022 and seven (7) cyber espionage related attacks have been uncovered so far. These espionage attacks targeted two (2) military clusters in Malaysia and the Philippines, a religious organization in Vietnam, and government agencies throughout the region. Tactics, techniques, and procedures (TTPs) observed thus far show that Dark Pink actors utilize social engineering tactics to deliver malicious payloads to victims. Through phishing correspondence(s) posing as an individual applying for an internship, threat actors embedded a hyperlink which brings the victim to a file sharing platform where malicious payloads are downloaded. Prior to infection, the downloaded file(s) communicated back to GitHub and downloaded further malicious scripts to further the infection. As it stands, the same GitHub repository was utilized throughout the cyberespionage attacks. Malicious payloads utilized by the group include “Ctealer”, “Cuck Stealer”, and “KamiKaKaBot”, which were used to infect and exfiltrate sensitive information, capturing audio recordings, and other data from messaging platforms. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
CISA Adds Windows EOP Vulnerability to the KEV
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Microsoft zero-day vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog, mandating that all Federal Civilian Executive Branch (FCEB) agencies patch the flaw no later than January 31, 2023. The vulnerability, tracked as CVE-2023-21674, is a Windows Advanced Local Procedure Call (ALPC) elevation of privilege (EOP) vulnerability. ALPC is an inter-process message-passing protocol allowing applications to access APIs and services, as well as make Remote Procedure Calls (RPC), requesting services from programs located in another system on a network. If successfully exploited, an attacker could perform a sandbox escape, escalating their local privileges to SYSTEM, giving them the permissions they need to carry out follow-on attacks. Once an actor has escalated their privileges, they could make configuration changes, view sensitive data, and create more privileged user accounts, as well as download malicious programs. EOP vulnerabilities are usually exploited in tandem with malware, as well as other vulnerabilities like remote code execution (RCE). This flaw affects millions of organizations across the world, and due to its low complexity, it can be exploited without any victim user interaction. CTIX analysts urge all Windows users to update to the most recent secure patch immediately to prevent exploitation.
