The Gootkit loader malware operators are running a new SEO poisoning campaign that abuses VLC Media Player to infect Australian healthcare entities with Cobalt Strike beacons.
The campaign goal is to deploy the Cobalt Strike post-exploitation toolkit on infected devices for initial access to corporate networks. From there, the remote operators can perform network scans, move laterally throughout the network, steal account credentials and files, and deploy more dangerous payloads such as ransomware.
In a new report by
Trend Micro, researchers explain that Gootloader's recent campaign uses SEO poisoning to inject its malicious websites into Google search results to target the Australian healthcare industry. The campaign started in October 2022 and managed to rank highly in search results for medical-related keywords, such as "agreement", "hospital", "health", and "medical" combined with Australian city names.
SEO poisoning is a tactic that cybercriminals employ, creating many posts on many legitimate sites that include links to the threat actor's websites.
