The group behind the Gatak Trojan (Trojan.Gatak) has turned to healthcare as its key target.
Gatak is known for infecting its victims through websites promising product licensing keys for pirated software, and in the past, the insurance sector was also heavily targeted by the group. Gatak victims are infected using websites offering product key generators or “keygens” for pirated software. The malware is bundled with the product key and, if the victim is tricked into downloading and opening one of these files, the malware is surreptitiously installed on the computer.
According to Symantec , the majority of Gatak infections (62%) occur on enterprise computers, and of the top 20 most affected organizations (organizations with the most infected computers), 40% were in the healthcare sector.
“Little is known about the group behind Gatak, although the corporate nature of its targets, along with the absence of zero-day vulnerabilities or advanced malware modules suggest that it may be cybercriminal in nature; however, there are also capabilities within the malware for more traditional espionage operations,” Symantec noted. “It is unclear how Gatak is profiting from its attacks. One possibility is data theft, with the attackers selling personally identifiable information and other stolen data on the cyber-underground. This could explain the attackers’ heavy focus on the healthcare sector, with healthcare records usually selling for more than other personal information.”
It could also be that the healthcare sector may simply be the most susceptible to these kinds of attacks.
“Healthcare organizations can often be pressurized, under-resourced, and many use legacy software systems that are expensive to upgrade,” Symantec said. “Consequently, workers could be more likely to take shortcuts and install pirated software. While organizations in other sectors appear to be infected less frequently, the attackers don’t appear to ignore or remove these infections when they occur.”
While the group focused on US targets, it also has diversified geographically over the past two years and attacks are now taking place against organizations in a broad range of countries, the firm said.
Also known as Stegoloader, Gatak has been used in attacks since at least 2011. A notable feature of Gatak is its use of steganography, a technique for hiding data within image files. When Gatak is installed on a computer, it attempts to download a PNG image file from one of a number of URLs hardcoded into the malware. The image looks like an ordinary photograph, but contains an encrypted message within its pixel data. The Gatak Trojan is capable of decrypting this message, which contains commands and files for execution.
There are two main components of the malware, Symantec explained. A lightweight deployment module Trojan.Gatak.B can perform detailed system fingerprinting on infected computers and selectively install additional payloads, including various ransomware variants and the Shylock financial Trojan. The main module (Trojan.Gatak) is a fully fledged back door Trojan, which maintains a persistent presence on an infected computer and steals information from it.
“Since it first appeared five years ago the Gatak group has carried out a steady stream of attacks and the Trojan represents a serious threat to any organization, particularly in the healthcare sector,” Symantec noted. “Gatak provides a timely reminder that the use of pirated software can compromise security in addition to creating legal issues for an organization. Along with using a robust security solution, organizations should regularly audit the software used on their network and educate staff about the dangers of using pirated or unapproved software.”