There are numerous ways to classify viruses that affect user’s computer systems. Worms, micro-viruses, Trojans and backdoors are some of the well-known examples. These viruses are spread over the internet using different methods such as email, malicious web pages and so on. Others are spread through removable media like USB memory sticks, external hard drives among others. These viruses damage, destroy or infect information on the user’s device, and some even take control of the device to use it to attack others.
Gatak Trojan is among the top appearing viruses on user’s systems. Symantec research has found that the group behind the Gatak Trojan (Trojan.Gatak) continues to pose a threat to organisations, within the healthcare, sector which is heavily prone to attacks. Gatak is known for infecting its victim’s system through websites, promising product licensing keys for pirated software. While the hacker group focuses on US targets, it has diversified over the past two years, and attacks are now taking place against organisations in a broad range of countries. Following given is an in-depth look at the threat posed by Gatak found by Symantec research.
Keygen website used to lure unsuspecting victims: The victims of Gatak are infected when using websites offering product key generators or ‘keygens’ for pirated software. The malware is bundled with a product key and if the victim is tricked into download and opening one of these files, the malware is surreptitiously installed on their computer. Attackers, in most cases, appear to focus on offering product keys for software, which is more likely to be used in professional environments.
Healthcare still the most affected: Globally, 62 per cent of Gatak infections occur on enterprise computers. Analysis of recent enterprise attacks leads that the healthcare sector is by far the most affected. Forty per cent of the top 20 organisations affected by Gatak happen to be in the healthcare sector. Previously, the insurance sector was heavily targeted by the group.
Why healthcare? Symantec’s Internet Security Threat Report (ISTR) highlighted that globally, the largest number of breaches took place within the health service sub-sectors, which actually comprised 39 per cent of all breaches in 2015. Researchers have found potentially damaging vulnerabilities in dozens of devices such as insulin pumps, x-ray systems, CT-scanners, medical refrigerators and implantable defibrillators. Healthcare organisations can often be pressurised, under-resourced and many use legacy software systems that are expensive to upgrade. Consequently, workers could be more likely to take shortcuts and install pirated software. It is unclear how Gatak is profiting from healthcare attacks. One what could be data theft, with attackers selling personally identifiable information and other stolen data on the cyber underground. This could explain the attackers’ heavy focus on the healthcare sector, with healthcare records usually selling for more than other personal information.
The growing danger Gatak poses: The Gatak Trojan, a lightweight deployment module which can perform detailed system finger-printing on infected computers and selectively install additional payloads, has been used in attacks since at least 2011. The main module is a fully-fledged back door Trojan, which maintains a persistent presence on an infected computer and steals information from it. In approximately 62 per cent of incidents, lateral movement across the victim’s network occurs within two hours of infection. In the remaining cases, lateral movement began at some point after the two-hour mark. The variance indicates that lateral movement isn’t automated and instead carried out manually by the attackers. Whether the attackers don’t have the resources to exploit all infections immediately or whether they prioritize some infections over others is unknown.
Ongoing vigilance required: Since the Gatak group has carried out a steady stream of attacks and the Trojan represents a serious threat to any organisation, particularly in the healthcare sector. Gatak provides a timely reminder that the use of pirated software can compromise security, in addition to creating legal issues for an organisation. Along with using a robust security solution, organisations should regularly audit the software used on their network and educate staff about the dangers of using pirated or unapproved software.
