![]() Make sure only trusted sources are used for downloading files.The problem, however, is that it can be very difficult to avoid being tricked by these poisoning campaigns when they occur.Īs a result, the best way to ensure that you do not become infected is to follow the security advises recommended by the experts and here we have mentioned them below:. However, the researchers at Trend Micro did not have any opportunity to collect the final payload in this case, which is why it could not be observed. This type of attack is usually carried out prior to a ransomware attack once Cobalt Strike is detected. ![]() ![]() There are activities associated with Cobalt Strike beacons hosted here. It is at this point in time that the malware downloads the following files via its command and control servers, as well as those associated with the Gootloader campaign:-Īn executable file that appears to be the MSDTC service is a legitimate and signed version of the VLC media player disguised in order to appear as the player.Īn infection with the Cobalt Strike module is laced into the DLL that is called after the file to start the media player, which is named after a legitimate VLC file.Ĭonsequently, the VLC executable spawns two processes in order to accomplish the further task: – Whenever this file is run, it drops a PowerShell script which it is then instructed to execute, which downloads more malware to the device once it has been launched. It is very likely that search engines will index these legitimate sites and include them in search engine results for associated keywords as soon as they see the same URL repeatedly.Ī JS file is included in this ZIP archive that contains the components of the Gootkit loader. To target the Australian healthcare industry, Gootloader recently launched a campaign to avoid Google’s spam filters by inserting false reviews around Google’s search results with links to its malicious websites with the help of SEO poisoning.Īs a result of the campaign, several medical-related keywords combined with Australian city names were ranked highly in search engine results in October 2022, including the following:-Ī technique used by cybercriminals that include the posting of many posts on many legitimate websites, all of which contain links to the threat actor’s website, is known as SEO poisoning. msdtc.exe (renamed “VLC Media Player” and a legitimate file).In order to exploit VLC Media Player and manipulate it as part of Cobalt Strike, the malware authors sideloaded the following malicious DLL to use it for their malicious purposes:. There have been reports in the past that APT10 has also engaged in similar abuses. With more than 3.5 billion downloads of VLC Media Player for the Windows operating system alone makes it is one of the most popular pieces of software out there. One of the key characteristics of this attack is its abuse of VLC Media Player, which is widely used as a legitimate application. A collaboration with the REvil gang in 2020 resulted in the malware returning to the headlines as a result of the Gootloader being associated with ransomware infections in the past. A similar search engine result poisoning campaign was launched last summer by the Gootkit loader, also known as Gootloader.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |