The lure of keygens helps spread Gatak malware through the enterprise and healthcare industry
Malware spreads through various channels, and numerous methods are used to fool people into unwittingly installing it. In many cases, the promise of getting something for free -- naming expensive software -- is enough to trick a victim into infecting their own computer.
It's far from being a new tactic, and warnings have been issued to fans of torrenting for some time. Keygens (small programs that promise to provide unlock codes and product keys for big-name software titles) are being used to help spread the Gatak or Stegoloader Trojan. Something that is interesting about this malware campaign is that it is specifically targeting enterprise users, with a particular focus on the healthcare industry.
The software for which fake keygens have been created to help the proliferation of Gatak gives an idea of the type of user that is being targeted. Names such as SketchList3D, Siemans SIMATIC STEP 7, CadSoft Eagle Professional, PremiumSoft Navicat Premium and Manctl Skanect are hardly household names, but for companies looking to save a bit of money through the use of pirated software, these titles can be quite a lure.
Symantec reports that of the top 20 infections, 40 percent involve the healthcare industry. Interestingly, the keygen do not even offer genuine keys when they are run -- they exist only to serve as a temptation. When executed, the keygen simply generate "a pseudo-random sequence of characters" and, of course, install the malware in the background. Once installed, Gatak opens a backdoor on the infected computer, and this can then be used for all manner of things by a controlling agent.
The fact that the healthcare industry -- as well as companies involves in education, gambling and the automotive industry -- is being targeted shows that Gatak is probably being used to harvest data that could then either be sold on, or used in social engineering. Symantec explains:
A notable feature of Gatak is its use of steganography, a technique for hiding data within image files. When Gatak is installed on a computer, it attempts to download a PNG image file from one of a number of URLs hardcoded into the malware. The image looks like an ordinary photograph, but containvs an encrypted message within its pixel data. The Gatak Trojan is capable of decrypting this message, which contains commands and files for execution.
As well as providing a wealth of information, Symantec suggests another reason for the targeting of the healthcare industry: "Healthcare organizations can often be pressurized, under-resourced, and many use legacy software systems that are expensive to upgrade. Consequently, workers could be more likely to take shortcuts and install pirated software. While organizations in other sectors appear to be infected less frequently, the attackers don’t appear to ignore or remove these infections when they occur."