The old adage that crime does not pay is not only applicable those cybercriminals who are caught, but also to many of the victims of the Gatak Trojan who download it while attempting to gain access to pirated software.
Little is known about the group pushing the Gatak Trojan (Trojan.Gatak) other than it remains fixated on targeting the healthcare industry and using the possibility of obtaining pirated software as a lure to snag its victims. In this case the five-year-old malware is spread through online ads offering pirated software keys that, if legit, would give someone the ability to download and use premium software at a discount, according to a Symantec study. The ads purportedly come from a key-generator company offering keys for products such as:
But once clicked upon the ad launches the victim to a fake key gen page where a bogus alphanumeric is created and at the same time Gatak is delivered.
“The malware is bundled with the product key and, if the victim is tricked into downloading and opening one of these files, the malware is surreptitiously installed on their computer,” Symantec said.
While much is known about the malware and how it is distributed, there are also quite a few mysteries surrounding Gatak. Researchers do not know how Gatak's developers profit from these attacks, but one theory is the trojan is used to exfiltrate data which is then sold on the dark web. This may be why the healthcare industry and its valuable data, tied to its notoriously porous cybersecurity measures, is such a favorite target.
“Healthcare organizations can often be pressurized, under-resourced, and many use legacy software systems that are expensive to upgrade. Consequently, workers could be more likely to take shortcuts and install pirated software” the report said.
Because of healthcare staffer's penchant for penny-pinching, Symantec recommends that employees be trained in the dangers of attempting to utilize under the counter software, along with utilizing the proper cybersecurity software.
Symantec was contacted, but did not respond to additional questions prior to posting.