The group behind the Gatak Trojan (Trojan.Gatak) continues to pose a threat to organizations, with the healthcare sector in particular heavily affected by attacks. Gatak is known for infecting its victims through websites promising product licensing keys for pirated software. While the group focused on US targets, it has diversified over the past two years and attacks are now taking place against organizations in a broad range of countries.
Healthcare still the most affected
The majority of Gatak infections (62 percent) occur on enterprise computers. Analysis of recent enterprise attacks indicates that the healthcare sector is by far the most affected by Gatak. Of the top 20 most affected organizations (organizations with the most infected computers), 40 percent were in the healthcare sector. In the past, the insurance sector was also heavily targeted by the group.
Figure 1. Sectoral breakdown of most heavily infected organizations
Keygen website used to lure unsuspecting victims
Gatak victims are infected using websites offering product key generators or “keygens” for pirated software. The malware is bundled with the product key and, if the victim is tricked into downloading and opening one of these files, the malware is surreptitiously installed on their computer.
Figure 2. Malicious keygen website offering product key for pirated versions of SketchList3D. Visitors who download a key will be infected with Gatak.
The attackers appear to focus on offering product keys for software that is more likely to be used in professional environments. The websites used in the attacks are controlled by the attackers and have no connection with the developers of the software. At no point are legitimate versions of software compromised. Among the software brands used as lures were:
- SketchList3D (woodworking design software)
- Native Instruments Drumlab (sound engineering software)
- BobCAD-CAM (metalworking/manufacturing software)
- BarTender Enterprise Automation (label and barcode creation software)
- HDClone (hard disk cloning utility)
- Siemans SIMATIC STEP 7 (industrial automation software)
- CadSoft Eagle Professional (printed circuit board design software)
- PremiumSoft Navicat Premium (database administration software)
- Originlab Originpro (data analysis and graphing software)
- Manctl Skanect (3D scanning software)
- Symantec System Recovery (backup and data recovery software; now part of Veritas)
The product keys downloaded from these websites do not work and simply generate pseudo-random sequence of characters. This means all the victim gets from the download is a junk file and a potential Gatak infection.
The Gatak Trojan (aka Stegoloader) has been used in attacks since at least 2011. There are two main components of the malware. A lightweight deployment module (Trojan.Gatak.B) can perform detailed system fingerprinting on infected computers and selectively install additional payloads. The main module (Trojan.Gatak) is a fully fledged back door Trojan, which maintains a persistent presence on an infected computer and steals information from it.
A notable feature of Gatak is its use of steganography, a technique for hiding data within image files. When Gatak is installed on a computer, it attempts to download a PNG image file from one of a number of URLs hardcoded into the malware. The image looks like an ordinary photograph, but contains an encrypted message within its pixel data. The Gatak Trojan is capable of decrypting this message, which contains commands and files for execution.
Movement across compromised networks
In approximately 62 percent of incidents, lateral movement across the victim’s network occurs within two hours of infection. In the remaining cases, lateral movement began at some point after the two hour mark. The variance indicates that lateral movement isn’t automated and instead carried out manually by the attackers. Whether the attackers don’t have the resources to exploit all infections immediately or whether they prioritize some infections over others is unknown.
Little is known about how the attackers move across an organization’s network. The most likely explanation is that they exploit weak passwords and poor security in file shares and network drives. There is no evidence of zero-day exploits or sophisticated hacking tools being employed.
In some cases, the attackers have infected computers with other malware, including various ransomware variants and the Shylock (Trojan.Shylock) financial Trojan. In the case of Shylock, these appear to be older versions of the threat and might even be “false flag” infections. They may be used by the group when they believe their attack has been uncovered, in order to throw investigators off the scent.
Little is known about the group behind Gatak, although the corporate nature of its targets, along with the absence of zero-day vulnerabilities or advanced malware modules suggest that it may be cybercriminal in nature, however there are also capabilities within the malware for more traditional espionage operations.
It is unclear how Gatak is profiting from its attacks. One possibility is data theft, with the attackers selling personally identifiable information and other stolen data on the cyberunderground. This could explain the attackers’ heavy focus on the healthcare sector, with healthcare records usually selling for more than other personal information.
However, Gatak’s means of distribution, through keygen websites, indicates that the attackers may be more opportunistic. By using a watering-hole approach, the attackers play a largely passive role, with relatively little control over who is infected. If this is the case, the healthcare sector may simply be the most susceptible to these kinds of attacks.
Healthcare organizations can often be pressurized, under-resourced, and many use legacy software systems that are expensive to upgrade. Consequently, workers could be more likely to take shortcuts and install pirated software. While organizations in other sectors appear to be infected less frequently, the attackers don’t appear to ignore or remove these infections when they occur.
Ongoing vigilance required
Since it first appeared five years ago the Gatak group has carried out a steady stream of attacks and the Trojan represents a serious threat to any organization, particularly in the healthcare sector. Gatak provides a timely reminder that the use of pirated software can compromise security in addition to creating legal issues for an organization. Along with using a robust security solution, organizations should regularly audit the software used on their network and educate staff about the dangers of using pirated or unapproved software.
Symantec and Norton products protect against this threat with the following detections:
Intrusion prevention system: