Healthcare Industry Targeted with Gatak Trojan

The healthcare industry is coming under attack by the actors behind the Gatak Trojan. Gatak, or Stegoloader as it is otherwise known, is not a new malware. The Trojan was first identified in 2011 and has since been used to attack a wide range of targets. However, according to a recent report by Symantec, the actors behind the malware have now set their sights firmly on the healthcare industry.

40% of the most affected organizations are now in the healthcare sector. This signifies a change in targeting, as previously the Trojan has been primarily used to attack insurance companies. While 40% of attacks have not been attributed to any industry sector, the next most targeted industries – which each account for 5% of attacks – are the automotive, education, gambling, and construction.

It is currently unclear how the attackers are using the malware to profit from infections, although it is believed that healthcare companies are being targeted due to the value of their stored data. Gatak is primarily an information stealer

There are two components of the malware. One component performs detailed fingerprinting of the victim and is capable of installing a range of additional payloads. Those payloads can include ransomware. The downloader has been discovered to install Shylock; an old form of ransomware. Symantec suggests that older forms of malware may be installed when the group believes their attack has been detected “to throw investigators off the scent.”

The main module is the information stealing component. Gatak is particularly dangerous because it is difficult to detect and can remain dormant for long periods. Gatak is also capable of moving laterally across a network and infecting multiple devices. According to Symantec, this usually occurs within two hours of infection.

Symantec reports that lateral movement does not appear to be automatic, instead other devices are attacked manually. Symantec does not believe the attackers are using sophisticated tools to spread the infection, but are instead exploiting weak security and poor passwords.

While many forms of malware are inadvertently installed via malicious websites or spam email; Gatak appears to be almost exclusively spread via shadow IT: Programs that have been installed on computers by employees without the knowledge of the IT department. In some cases, pirated software is actually installed by IT departments to automate IT tasks. The infections do not occur as a result of the installation of the pirated software, but with the keygen that is used to generate the license key.

Trojan is bundled with the Keygen. When the executable is run, the Trojan is silently installed. Symantec notes that the keygens used by the group behind Gatak do not generate genuine product keys. The group behind Gatak is targeting companies by supplying fake keygens for software typically used in professional environments.

These include HDClone – a hard disk cloning program; PremiumSoft Navicat Premium – Database administration software; Originlab Originpro – Data analysis software; and Symantec System Recovery – Backup and data recovery software. The latter could pose the biggest threat to healthcare organizations that are attempting to improve defenses against ransomware attacks by using pirated backup software.

Symantec notes that its products protect against the threat, but advises IT departments, particularly those in the healthcare industry, to conduct regular audits of software installed on their networks. Symantec also suggests reminding employees not to install pirated and/or unauthorized software.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.