It has come to light that cybercriminals in Australia have been using the widely used VLC video player to spread the Cobalt Strike beacon.
This effort uses search engine optimization (SEO) poisoning and the Gootkit loader malware to target individuals looking for Australian healthcare facilities.
Trend Micro discovered the virus and revealed how the attackers crafted a fake forum website where a user uploaded a ZIP package containing a healthcare agreement document template in answer to a question.
Search engine result pages are being “poisoned”
After that, they “poisoned” the search engine results pages by embedding links to the rogue site in as many online articles and social media postings as they could.
When Google sees a website with a lot of backlinks, it assumes it must be an authority on the topic and ranks it higher. Researchers noticed that the malicious website in this campaign ranked well for medical-related keywords including “hospital,” “health,” “medical,” and “agreement” in combination with the names of cities in Australia.
If the victim falls for the ruse and instals the malicious ZIP package, they will be infected with Gootkit loader components, which will then drop a PowerShell script that instals more malware. The loader takes several files, including an authentic, signed version of the VLC media player and a malicious DLL file that, when activated, launches the Cobalt Strike beacon.
Microsoft’s Distributed Transaction Coordinator (MSDTC) is mistakenly identified as the VLC media player file. In what is known as a side-loading assault, if the user launches VLC, it will seek for the DLL file and execute it, infecting the device.
Cobalt Strike is a paid penetration testing tool that lets the tester instal a programme on the target system called “Beacon.” Hackers use it to probe the target system for vulnerabilities, spread laterally inside it, steal credentials and other sensitive information, and ultimately release even more malicious code. In many cases, after deploying a Cobalt Strike beacon, hackers launch a ransomware assault.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover