Tryfonov - stock.adobe.com

GootLoader Malware, SEO Poisoning Impacting Healthcare

Cybereason observed new deployment methods of the GootLoader malware loader, as well as SEO poisoning techniques that are impacting the healthcare and finance sectors in particular.

New deployment methods of the GootLoader malware loader, search engine optimization (SEO) poisoning tactics, and the deployment of additional C2 frameworks such as Cobalt Strike and SystemBC are impacting the healthcare and finance sectors, the Cybereason Incident Response (IR) team found.

Cybereason rated the threat as “severe” due to the potential damage that could be caused by these attacks.

“GootLoader has security evasion in mind: Cybereason IR team observed large payloads (40MB and more) masquerading with legitimate JavaScript code, in order to evade security mechanisms,” a Cybereason blog post explained.

Cybereason’s IR team first responded to the threat in December 2022, when threat actors leveraged new deployment methods of GootLoader. Specifically, threat actors were observed hosting the infection payload on a compromised Wordpress site.

“SEO Poisoning and Google service abuse like Google Ads are becoming a trend amongst malware operators to distribute their payloads,” the blog post explained.

Using SEO poisoning, threat actors were able to get victims to download malicious payloads. SEO poisoning techniques allow threat actors to get fraudulent websites to appear higher up on search engine results, leading to more clicks.

“Following the GootLoader infection, the Cybereason IR team observed hands-on keyboard activities which led to further deployment of attack frameworks, Cobalt Strike and SystemBC,” Cybereason added.

“The threat actor leveraged these frameworks following the infection phase and during the lateral movement phase.”

Cybereason described the threat actors as “aggressive,” having displayed “fast-moving behaviors” and getting elevated privileges in less than four hours. These threat actors are known to target healthcare and finance companies in English-speaking countries, such as the US, the United Kingdom, and Australia.

To prevent GootLoader, SystemBC, or CobaltStrike post-exploitations, Cybereason recommended that network defenders identify and block malicious network connectios, reset Active Directory access, and engage incident response as soon as malicious activity is detected.

Next Steps

Dig Deeper on Cybersecurity strategies