Healthcare Sector Warned About Increase in GootLoader Malware Infections
Security researchers have issued warnings following an increase in cyberattacks distributing a malware variant called GootLoader. GootLoader is a malware loader first identified in 2014 that is now one of the biggest malware threats. The threat group behind the campaign is highly capable and has been evolving its tactics and actively developing the malware to better evade security defenses.
The delivery of GootLoader is the first stage of an attack chain that will see multiple malicious payloads delivered, such as Cobalt Strike Beacon, FoneLaunch, and SnowCone. FoneLaunch is a .NET loader that loads encoded payloads in the memory and SnowCone is a downloader that retrieves and executes payloads that are used in the next stage of the attack, including the IcedID banking Trojan and malware dropper.
According to security researchers at Mandiant, GootLoader appears to be exclusively used by a threat actor it tracks as UNC2565. In 2022, UNC2565 adopted notable new tactics, techniques, and procedures (TTPs) and is actively evolving its TTPs to improve the effectiveness of its campaigns, including adding new components and obfuscations to the infection chain. GootLoader is primarily spread through compromised websites. Traffic is sent to those websites using SEO poisoning, which involves creating web content using search engine optimization tactics to get the sites to appear high in the search engine listings for specific business-related search terms. These can include business-related documents such as contract templates and service-level agreements. When a user arrives on the site they are tricked into downloading a malicious file, which is typically a ZIP archive that includes an obfuscated JavaScript file that masquerades as the document being searched for. If that file is executed, the infection chain is initiated leading to GootLoader being installed and other malicious payloads being delivered and executed.
Mandiant says UNC2565 changed the attack sequence in November 2022 and modified the .js file in the ZIP file to deliver a new variant dubbed GootLoader.PowerShell, which writes a second JavaScript file to the system disk that reaches out to 10 hard-coded URLs and exfiltrates system information. The new variant was used in a wave of attacks on the healthcare sector in Australia in late 2022.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Security researchers at Cybereason have also issued a warning about UNC2565 following an increase in attacks in the United States, United Kingdom, and Australia. In addition to SEO poisoning, Cybereason researchers say the group has started using Google Ads to drive traffic to their malicious websites and is now using Cobalt Strike and SystemBC for data exfiltration. New tactics identified include multiple JavaScript loops that delay the execution process, which they believe have been adopted to evade sandbox mechanisms. They also report that after GootLoader is executed, the threat actors move quickly and manually deploy attack frameworks, elevate privileges, and move laterally within compromised networks. That process typically takes less than 4 hours. While multiple sectors have been targeted, attacks have primarily been focused on organizations in the finance and healthcare sectors, with Cybereason’s researchers considering the threat level to be severe.
Researchers at both companies say UNC2565 is actively developing its TTPs and increasing its capabilities, and organizations in the healthcare sector should be on high alert. Network defenders can obtain further information on the TTPs, Indicators of Compromise (IoCs), and recommended mitigations in the GootLoader reports from Mandiant and Cybereason.
