Digital Health Cyber Security Alert - GootKit Loader malware variant targeting Australian healthcare organisations

Digital Health Cyber Security Alert - GootKit Loader malware variant targeting Australian healthcare organisations

23 January, 2023

Cyber Security Alert

GootKit Loader malware variant actively targeting Australian healthcare organisations

What’s happened?

  • Trend Micro has reported that a malware variant titled the GootKit Loader or Gootloader is actively targeting Australian healthcare organisations.
  • Using a tactic known as ‘search engine optimisation poisoning’, cybercriminals are hosting malware on compromised websites that are designed to look like forum posts.

See sample below:

  • Search engine optimisation poisoning is a tactic that cybercriminals employ, creating many posts on many legitimate sites that include links to the threat actor's websites
  • This attack is a concern as it relies on the user to Google search keywords that are of relevant interest. For example, terms such as agreement, hospital, health, and medical. Australian cities have also been cited.
  • If a user visits the malicious website link, it will download a “.zip” file containing a “.js” file, which will install the malware and give the cybercriminals access to the user’s network.

How could this affect me?

  • The GootLoader malware is used to infiltrate an organisation’s network to steal valuable data, and establish a backdoor for the attacker to install further malware such as ransomware.
  • This can lead to disruption of an organisation’s systems or result in the theft of information that is of value. Attackers may exploit the access or sell access to another criminal group.

What do I need to do?

  1. Notify your staff of the ongoing campaign. Ensure they are aware of the indicators of a malicious GootLoader website, such as an incorrect or suspicious website domain name.
  2. Never open website links or attachments on a malicious website. Staff looking for official documents should download content from the authoritative source or consult internally.
  3. If a suspected GootLoader infection occurs, ensure all infected devices are isolated immediately and reimaged to prevent further spread.
  4. If your organisation has been affected and your organisation has access to the My Health Record system, please inform the Australian Digital Health Agency immediately at the email address listed at the end of this email.

Where can I get more information?

  1. https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html
  2. https://www.bleepingcomputer.com/news/security/gootkit-malware-abuses-vlc-to-infect-healthcare-orgs-with-cobalt-strike/