>
Cybercriminals have been discovered misusing the popular VLC multimedia player to send Cobalt Strike beacons to targets in Australia.
The campaign includes SEO poisoning and the Gootkit loader malware (opens in new tab) and targets victims seeking care facilities in Australia.
The malware was discovered by Trend Micro and described how the attackers created a malicious website, designed to look like a forum, where a user shared a healthcare agreement document template in a ZIP archive, in response to a question.
“Poisoning” search engine results pages
Then, to get the website high in Google, they “poisoned” the search engine results pages by adding the link to the malicious site to as many articles and social media posts online as possible.
Whenever there is a lot of linking to a website, Google’s algorithm considers it authoritative and pushes it higher on the results pages. In this campaign, the researchers found that the malicious website scored highly on medical-related keywords such as “hospital”, “health”, “medical” and “agreement” – in combination with the names of cities in Australia.
Victims who fall for the trick and download the malicious ZIP archive to their endpoints actually get Gootkit loader components that later drop a PowerShell script that downloads more malware to the target device. Among the files the loader grabs are a legitimate, signed copy of the VLC media player and a malicious DLL file that, when activated, deploys the Cobalt Strike beacon.
The VLC media player file appears as the Microsoft Distributed Transaction Coordinator (MSDTC) service. If the user runs it, VLC looks for the DLL file and executes it, infecting the device in what is commonly known as a side-loading attack.
Cobalt Strike is a commercial pen testing tool that allows the user to deploy an agent called ‘Beacon’ on the victim’s machine. Cybercriminals use it to scan the target network, move sideways, steal passwords and other sensitive data, and deploy more devastating malware. Cobalt Strike beacons are often followed by a ransomware attack.
Through: Beeping computer (opens in new tab)