Cybercriminals abusing the popular VLC multimedia player to deliver Cobalt Strike beacons to targets in Australia have been caught.
The campaign includes SEO poisoning and Gootkit malware (Opens in a new tab) It targets victims seeking healthcare in Australia.
The malware was discovered by Trend Micro, describing how threat actors create a malicious website, designed to look like a forum, where a user shares a healthcare-related agreement document template inside a ZIP archive, in response to a query.
Search engine results pages for “poisoning”
Then, in order to get the website to rank high on Google, they “poison” the search engine results pages by adding a link to the malicious site to as many articles and social media posts across the Internet as possible.
When a website is highly linked, the Google algorithm considers it authoritative and pushes it higher on its results pages. In this campaign, the researchers found that the malicious website ranked highly for medical-related keywords such as “hospital,” “health,” “medical,” and “agreement” — paired with city names in Australia.
Victims who fall for the trick and download the malicious ZIP archive on their endpoints will actually get Gootkit bootloader components which subsequently drops a PowerShell script which downloads more malware onto the target device. Among the files that the loader grabs are a legitimate, signed copy of the VLC media player and a malicious DLL file that, when run, deploys Cobalt Strike Beacon.
The VLC media player file is exposed as a Microsoft Distributed Transaction Coordinator (MSDTC) service. If the user launches it, VLC will search for the DLL file and run it, infecting the device in what is commonly known as a sideload attack.
Cobalt Strike is a commercial pentesting tool that allows the user to deploy an agent called “Beacon” on the victim machine. Cybercriminals use it to scan the target network, move sideways, steal passwords and other sensitive data, and spread more destructive malware. Cobalt Strike signals are often followed up with a ransomware attack.
Via: BleepingComputer (Opens in a new tab)