Cybercriminals have been discovered abusing the popular VLC multimedia player to deliver Cobalt Strike beacons to targets in Australia.
The campaign includes SEO poisoning and the Gootkit loader malware (opens in new tab) and targets victims searching for healthcare institutions in Australia.
The malware was discoverd by Trend Micro, with described how the threat actors created a malicious website, designed to look like a forum, where a user shared a healthcare-related agreement document template inside a ZIP archive, in response to a query.
“Poisoning” search engine results pages
Then, in order to get the website to rank high on Google, they “poisoned” the search engine results pages by adding the link to the malicious site to as many articles and social media posts online, as possible.
Whenever a website is heavily linked to, Google’s algorithm perceives it as authoritative and pushes it higher on its results pages. In this campaign, the researchers found the malicious website ranking highly for medical-related keywords such as “hospital”, “health”, “medical”, and “agreement” – paired with the names of cities in Australia.
Victims that fall for the trick and download the malicious ZIP archive onto their endpoints would actually get Gootkit loader components which later drop a PowerShell script that downloads more malware onto the target device. Among the files the loader grabs is a legitimate, signed copy of the VLC media player and a malicious DLL file that, when triggered, deploys the Cobalt Strike beacon.
The VLC media player file is shown as the Microsoft Distributed Transaction Coordinator (MSDTC) service. If the user runs it, VLC will look for the DLL file and run it, infecting the device in what’s generally known as a side-loading attack.
Cobalt Strike is a commercial pentesting tool allowing the user to deploy an agent named ‘Beacon’ on the victim machine. Cybercriminals use it to scan the target network, move laterally, steal passwords and other sensitive data, and deploy more devastating malware. Cobalt Strike beacons are often followed up with a ransomware attack.
Via: BleepingComputer (opens in new tab)
