On the Gatak: Trojan gang lures victims with fake software keys

Healthcare companies are the primary targets.
Healthcare companies are the primary targets.

The old adage that crime does not pay is not only applicable those cyber-criminals who are caught, but also to many of the victims of the Gatak Trojan who download it while attempting to gain access to pirated software.

Little is known about the group pushing the Gatak Trojan (Trojan.Gatak) other than it remains fixated on targeting the healthcare industry and using the possibility of obtaining pirated software as a lure to snag its victims. In this case the five-year-old malware is spread through online ads offering pirated software keys that, if legit, would give someone the ability to download and use premium software at a discount, according to a Symantec study. The ads purportedly come from a key-generator company offering keys for products such as:

  • SketchList3D (woodworking design software)
  • Native Instruments Drumlab (sound engineering software)
  • BobCAD-CAM (metalworking/manufacturing software)
  • BarTender Enterprise Automation (label and barcode creation software)
  • HDClone (hard disk cloning utility)
  • Siemans SIMATIC STEP 7 (industrial automation software)

But once clicked upon the ad launches the victim to a fake key gen page where a bogus alphanumeric is created and at the same time Gatak is delivered.

“The malware is bundled with the product key and, if the victim is tricked into downloading and opening one of these files, the malware is surreptitiously installed on their computer,” Symantec said.

While much is known about the malware and how it is distributed, there are also quite a few mysteries surrounding Gatak. Researchers do not know how Gatak's developers profit from these attacks, but one theory is the Trojan is used to exfiltrate data which is then sold on the dark web. This may be why the healthcare industry and its valuable data, tied to its notoriously porous cyber-security measures, is such a favourite target.

“Healthcare organisations can often be pressurised, under-resourced, and many use legacy software systems that are expensive to upgrade. Consequently, workers could be more likely to take shortcuts and install pirated software” the report said.

Because of healthcare staffer's penchant for penny-pinching, Symantec recommends that employees be trained in the dangers of attempting to utilise under the counter software, along with utilising the proper cyber-security software.

Symantec was contacted, but did not respond to additional questions prior to posting.

Sign up to our newsletters