Gatak Trojan turning towards Healthcare sector. Here Is What You Need to Know

Gatak doesn’t care for other industries as it does for the healthcare industries.

Why do hackers like to target the American healthcare sector?

Well, it is obvious isn’t it?

They don’t really care if it functions as a critical infrastructure.

What they care about is money.

And that’s why they target the healthcare sector most frequently.

As a result of a number of cyber attacks, the American healthcare sector is now plagued by these perpetual Trojans.

They mostly come from unknown sources.

But of course, in the end, there is always a malicious hacker group behind these Trojans.

Their intent is singular.

And that is to exploit existing vulnerabilities in antiquated networks and insecure systems.

This allows these hackers to exfiltrate important and vital health records on various patients.

Consider the fact that the US spends around eighteen percent of the country’s GDP on its health care budget alone.

Hackers know it.

And that’s why they know they are in it to win it.

Statistics show us that about forty-seven percent of the people living in the United States of America have fallen victim to data compromising cyber attacks with regards to their personal health care records.

And that’s just for the past twelve months or so.

Gemalto, a digital security company, recently came out with a report titled “Data Breach Index For the First Half Of 2015”.

The report looked at the state of sixteen critical and sensitive infrastructure sectors.

It found out that the healthcare industry bore the consequences of most of these cyber attacks.

In fact, about twenty-one percent of the total number of recent data breaches involved a company in the healthcare sector.

Statistically, about 188 reported events of data breaches out of 888 affected an entity in the healthcare sector.

Therefore, no one needs to argue the fact that hackers consider the healthcare sector as a prime target for their malicious programs.

It is also possible that hackers have figured out a way to make the healthcare sector the most susceptible onto their data breach compromising efforts.

A SAN’s Institute report that came out back in 2012 said that from all of the malicious traffic that targeted the American healthcare about seventy-two percent targeted American health care providers.

About six percent went after health plan organizations.

While another ten percent victimized health care business associates.

What about the rest of the twelve percent?

Well, these basically focused on pharmaceutical companies along with healthcare entities and healthcare information clearinghouses.

What On Earth Is Gatak (Gatak The Trojan Horse )?

We’ll give it to you:

That is one awkward sounding name.

But what is it?

In short, it is a Trojan.

The group behind this Trojan is not letting up.

In other words, it continues to go after different organizations.

And as we have mentioned before, it has its crosshairs locked down on the healthcare sector.

As you all know, the healthcare sector is the most heavily hit sector in all of the cyber crimes of this nature.

Recently, Symantec came out with a statement and said that Gatak (Gatak The Trojan Horse ) infections, or at least the majority of them (sixty-two percent if we want absolute precision), targeted enterprise computers.

MOreover, Symantec also revealed that forty-percent of the top twenty most hit organizations (that is organizations that hackers infected with their code) belonged to the healthcare sector.

Hackers have used Gatak (Gatak The Trojan Horse ) Trojan in their cyber attacks since 2011.

That is what experts believe at the moment.

Some believe, hackers may have used the same Trojan even before 2011.

What Is This Malware Gatak (Gatak The Trojan Horse )?

This malware has two major components.

This is obviously what Symantec has revealed after its researchers came out with a report.

Symantec says that the Gatak (Gatak The Trojan Horse ) malware has a lightweight deployment module.

This is basically a very sophisticated Trojan.

It’s called Gatak (Gatak The Trojan Horse ).B.

What does it exactly do?

Well, once the malware infects a computer machine, this module performs a detailed system fingerprinting on it.

Then it gets rather selective and starts to install supplemental payloads along with different ransomware variants.

It also infects the machine with Shylock financial Trojan.

Then there is the main module.

This module is known as Trojan.Gatak (Gatak The Trojan Horse ).

Trojan.Gatak (Gatak The Trojan Horse ) forms the fully fledged version of a backdoor Trojan.

In other words, this is a trojan that tries to maintain a persistent preference on the infected computer machine.

Moreover, it also steals any sensitive information that is present on the infected computer.

Other Name For Gatak (Gatak The Trojan Horse )?

Gatak and other trojans like it target healthcare industries for very insidious reasons

Some people call Gatak (Gatak The Trojan Horse ) by another name.

That name is Stegoloader.

What does it represent?

It represents the activities of the authors behind Gatak (Gatak The Trojan Horse ) when they use techniques such as steganography in order to conceal data within various image files.

The malware that these hackers use also tries to download a PNG image that is malicious.

This happens a short while after the computer machine is infected with the malware via an installation process.

What does this image contain?

It contains an encrypted message.

MOre like encrypted commands.

For whom?

For the Trojan.

And other files that hackers want to execute in order to further spread their control over the infected computer machine.

But this Gatak (Gatak The Trojan Horse ) malware is clever.

Along with the standard stuff, it also wants the freedom of lateral movement.

Lateral movement?

But where?

Well, in any environment that hackers have compromised.

Researchers have now found out that this behavior seems to occur in sixty percent of the cases after two hours have passed since the initial infection.

That is also the reason why these researchers believe that this process is not automated.

In fact, hackers carry out this process manually.

This suggests one other thing too:

Hackers may or may not have the resources available to exploit any and all infection in the given computer machine.

Otherwise, they could easily exploit all.

Researchers also know that hackers don’t have the ability to prioritize targets.

Gatak (Gatak The Trojan Horse ) Tools And Program

Gatak (Gatak The Trojan Horse ) uses a lot of programs and tools to complete its work.

It uses these programs as lures.

That how this Gatak (Gatak The Trojan Horse ) gang rolls.

We’re talking about lures such as SketchList3D, which is used for woodworking design.

Gatak (Gatak The Trojan Horse ) also uses native Instruments Drumlab.

This is used for sound engineering.

Moreover, Gatak (Gatak The Trojan Horse ) uses,

  • BobCAD-CAM for manufacturing and metalworking.
  • BarTender Enterprise Automation which is used for barcode and label creation.
  • HDClone which is used to clone hard disks.
  • Siemens SIMATIC STEP 7 which is used in industrial automation processes.
  • CadSoft Eagle Professional, which hackers use for designing printed circuit board.
  • PremiumSoft Navicat Premium for administrative tasks in databases.
  • OriginLab OriginPro for the purposes of graphing and data analysis.
  • Manctl Skanect, for the purposes of 3D scanning
  • And finally, it uses Symantec System Recovery in order to complete data recovery processes and backup plans.

More Details On Gatak (Gatak The Trojan Horse )

Trojans these days are complex and complicated.

What type of payload does Gatak (Gatak The Trojan Horse ) use?

Well, let’s just say that first Gatak (Gatak The Trojan Horse ) connects to IPs and URLs and then it downloads files.

What About Its Arrival Details?

The Gatak (Gatak The Trojan Horse ) Trojan has its pals in the form of other malware.

It infects a system as a file.

How does that file pop up in a given infected system?

Via other malware.

In other words, other malware help drop Gatak (Gatak The Trojan Horse ) Trojan on the infected system.

But remember, we told you that how clever this Trojan Gatak (Gatak The Trojan Horse ) is.

It makes use of several ways to infect targeted computers.

It can also infect a system via a downloaded file.

Of course, users have no idea that they have downloaded an unknown file.

The only mistake the users make is to visit a website that is malicious.

It is from here that Gatak (Gatak The Trojan Horse ) gets on the targeted system in the form of a downloaded file.

What About Gatak (Gatak The Trojan Horse ) Installation Process?

The installation process is not that complicated.

Once this Gatak (Gatak The Trojan Horse ) Trojan drops on a system, it installs the following files,

  • An exe file
  • An encrypted file at the location given by,
    %application Data% \ Microsoft \ (randomized folder name) \ randomized filename

Do take note that the application data part in the above file destination refers to the currently active user’s folder for Application data.

This folder usually resides on the C drive of the given computer.

More specifically, this folder is usually present in the Documents and Settings folder followed by the related user name and Application data folder.

That is if the victim computer machine is running Windows Server 2003, or XP or even Windows 2000.

As far as Windows 7 and Windows Vista is concerned, the file structure changes slightly to C : \ Users \ (username) \ AppData \ Roaming

As mentioned before, the Gatak (Gatak The Trojan Horse ) Trojan tries to inject its malicious code into exe files.

How To Fight Against Gatak (Gatak The Trojan Horse ) Trojan

There is no doubt about the fact that malicious actors along with hackers will do everything to hurt a user or a given system.

They will find and then expend all available and significant resources in order to exploit all the vulnerabilities in American healthcare system.


Because American healthcare system has a ton of data that is both valuable and diverse.

Moreover, the companies in the healthcare system have often proven themselves as soft targets.


By having compromised user accounts along with hold back doors and insecure integrated system.

These problems enable hackers to silently move in, penetrate the system and then have a persistent presence on the victim network.

But How Do These Hackers Make Money?

In short, no one knows for sure.

Hackers, of course, monetize everything they can monetize.

Otherwise, what is the point of pursuing such a dangerous career?

Symantec says that hackers make money by data and other personal information that can identify targets.

Whatever they exfiltrate from their victim’s machine, they monetize.

That’s how the game works.

How Big Are These healthcare Companies That Gatak (Gatak The Trojan Horse ) Targets?

hackers are looking at these companies for one reason: money

Pretty big.

Some sources say that some of these healthcare databases can contain over 18 personally identifiable information identifiers.

This refers to information such as,

  • Name
  • Social security number
  • Address
  • The patient’s sensitive and mostly private health information, often abbreviated as PHI
  • The patient’s information regarding financial payments.
    These include information related to credit card and insurance.

Hackers love to create supplemental backdoors in a given system once they have infiltrated the targeted network.

They do this in order to establish their much-wanted persistent presence on the network.

And networks that have multiple systems connected to each other help hackers do that with ease.

This is where some believe that hackers may also access the healthcare company’s financial accounts.

Hackers can then take advantage of this access to financial accounts and then apply for credit and also take out huge loans, all in the name of the victim’s name.

Why Do Organizations Fail To Protect User Data Even When Gatak (Gatak The Trojan Horse ) Is Around?

Most of us know that organizations fail horribly when it comes to detecting suspicious activity on their networks.

And if they do, and they can’t re-secure their hacked network, the hackers can continue their work indefinitely.

They can just roam about, revisit the targeted network systems and collect ever increasing piles of data.

Now, not all stolen data is the same.

Hackers like to gauge if the machine they are about to hack as sufficient quality and quantity of data.

That way they can hurt the organization even more.

Our research tells us that any if hackers compromise the network systems of an organization, then the organization is in some deep trouble.


Because after the hacking incident, the hacked organization may face several serious issues.

Issues such as,

  • Legal ones
  • Fiscal ones
  • PR ones.
    Of course, any hacking instance will definitely hurt the reputation of the hacked organization

If the media discovers and then reports the data breach before the hacked organization comes forward itself, then the harm is exponentially greater.

Modern Organizations Have Some Serious Issues Even Though Gatak (Gatak The Trojan Horse ) Is Running Wild

For one they don’t have the necessary IT resources neither the budgets to tackle advanced hacking groups.

To further add to the problem, these organizations are usually sitting on top of some really rich data.

Hackers see this type of data as gold.

In other words, buyers will pay a higher price for such kind of data.

No other form of data is higher priced than the healthcare data.

And that is why we think that the healthcare industry should brace itself for more cyber attacks.

Concerns such as Data security must get their due attention.

They should move to the top of the pile of areas that need work and improvement.

As far as health care priorities go, there should be nothing about data security.

Why Are Healthcare Organizations So Vulnerable Against Hackers And Trojans Like Gatak (Gatak The Trojan Horse )?

They are weak because of stakeholder pressure.

Sometimes the IT department forces the whole organization to work with legal software systems.

These older systems and software applications are prohibitively expensive to upgrade.

But with Gatak (Gatak The Trojan Horse ) Trojan on the loose, these healthcare organizations would do well to take such attacks as a very timely reminder.

A reminder, that it is always bad to use pirate software applications.


Because pirated software can and most of the time do compromise system security.

Pirates software also creates some other problems as well.

Problems such as copyright issues and the rest.

Advice To The Healthcare Sector Against Gatak (Gatak The Trojan Horse ) And Co

The healthcare sector, especially in the US, needs to invest more capital in comprehensive and robust organizations platforms.


Because their data and systems are valuable.

Moreover, hackers find such expensive data and the lack of security around it way more appealing than other targets.

Moreover, there is a good chance that in the future more and more nation state actors will also get involved.

And we can’t say that the healthcare industry is safe from hacktivists or other types of cyber criminals either.

All of this warrants a cautious and practical approach to information technology system implementation.

Healthcare organizations must ensure that all of their patients’ data is secure and sufficiently protected.

Healthcare organizations should carry out regular audits on its security systems in order to identify its vulnerable spots.

They should also make note of the security technologies that might help them to secure their data.

Perhaps it is best to make a priority list of technologies that the healthcare sector must adopt in order to protect against problems such as Gatak (Gatak The Trojan Horse ) Trojan.

What’s A Good Audit Against Gatak (Gatak The Trojan Horse )?

A good audit always considers the current state of the system.

It tries to find out how well the organization’s systems are maintained.

Moreover, the audit also tries to find out if the current organization systems are really compatible with newer systems.

And how frequently does the IT department patches up problems?

This is where IT administrators will also become key players in the whole equation.

The IT department of any organization has to make sure that the software they use regularly undergoes an audit.

This should happen for all software that is used on the network.

Moreover, the audit must consider other legal obligations and regulatory requirements are well.

The Role Of The IT Team Against Trojans Like Gatak?

The best approach for any information security team is that it should assess all organizational systems for any compromises on a scheduled basis.

Ideally, they should perform an audit every six months.

Moreover, organizations, especially working in the healthcare industry, must make sure that they educate their staff properly.

The staff should know the fundamental dangers that are present out there which can compromise their systems.

They should also know the consequences of using pirated software.

Organizations should not all their staff to use unapproved software on the network.

The staff should know and understand the risks that are involved with information systems via annual privacy and security training.

Every information security team must ensure that there is a draft for concise and clear policies.

Of course, policies have to align with organizational structure.

Moreover, the executive board must approve these policies before an implementation can begin.

The role of Policies To Guard Against Gatak (Gatak The Trojan Horse ).

Policies ensure that organizations and especially their information security teams remain aware of all the latest happening in information security.

If an organization implements the information security policy correctly then that can help against Trojans like Gatak (Gatak The Trojan Horse ) a lot.

Moreover, policies also ensure that employees have an incentive in ensuring the security of the organization’s systems.

To set policy compliance requirements, organizations must use governance policies.

There are also other options such as,

  • Policy enforcement options
  • Policy adherence metrics.

Other Types Of Policies

A policy regarding responsibilities and roles is also the need of the hour.

An organization must ensure that employees only have access to related information.

This will also help with other issues such as employee accountability.

Policies related to responsibilities and roles also help clarify the overall organizational structure.

These policies also help to improve and enhance the internal operating efficiency.

Steps An Organization Must Take When Gatak (Gatak The Trojan Horse ) Trojan Infects The System

  1. Disable System restore
    This will enable software applications to perform full and comprehensive scans of the infected computers.
    This step is a must for Window users regardless of the version.
    And remember, this step must come before any scans are performed.
  2. Restart the infected machines in Safe Mode
  3. Delete all infected and malicious registry values
    Important Note: Always take care while editing and modifying Windows Registry.
    Any mistakes here can cause a system malfunction that is irreversible.
    If you don’t know how to do it and can’t ask for any assistance, then don’t complete this step.
    Contact your system administrator.
    You can check out this article from Microsoft before you begin to alter the registry values of your infected computer machine.
  4. After you have completed the previous steps, restart your computer.
    This time in normal mode.
    Then scan your machine and observe if it detects files with the name TROJ_Gatak (Gatak The Trojan Horse ).FCK.
    If you find that your computer has already cleaned your machine off these files then great.
    If your scanner has quarantined all such files, then that’s great too.
    YOu don’t need to take any further steps.
    Of course, you can always delete those quarantined files.
  5. If the computer identifies a registry key that the user can’t identify then that means there are actually no reference values for the key that is in question.
    How can the computer identify such as key?
    The only way is to compare the backup of the computer’s system registry with the present keys.
    But don’t worry if you can’t solve this problem.
    Because these type of keys aren’t harmful to your machine. So deleting them is not a necessity.

Symantec Recommendations Against Gatak (Gatak The Trojan Horse ) Trojan

Symantec has a security response team that helps out users when a Trojan like Gatak (Gatak The Trojan Horse ) attacks.

Currently, the team recommends all administrators along with users that they should adhere to the below-given guidelines.

These are basically best practices against Trojans like Gatak (Gatak The Trojan Horse ).

Use A Firewall To Protect Against Gatak (Gatak The Trojan Horse )

It can block any and all incoming internet connections.
Make sure that your firewall blocks all of these internet connections from pairing with your services which aren’t available publicly.

A firewall should, by default, cancel or deny any and all incoming connections.

It should only allow those services to form a connection which the user has explicitly identified.

Apart from that, your firewall should block everything in the outside world.

Make Sure You Have A Good Password Policy To Protect Against Gatak (Gatak The Trojan Horse )

Hackers can’t crack complex passwords.

And that holds true even for password files that are present on a compromised computer machine.
As you can probably imagine, this can help, prevent, and even limit the amount of damage hackers can cause when they compromise a system.

Administrators Must Make Sure That Users And Programs Only Use The Lowest Possible Level Of Privileges Which Are Required To Complete Any Given Task To Protect Against Gatak (Gatak The Trojan Horse ).

Don’t allow all applications to prompt for a root password. That includes UAC password as well.

Only legitimate applications should have the permission to ask for administration-level access password.


Disable AutoPlay To Protect Against Gatak 

This is a must if you want to prevent your computer from automatically launching executable files on any given network.
It can also protect removable drives.

Moreover, make sure you disconnect your drives when they are not in use or required.

If you feel that no one is going to need write access to a drive, then enable the read-only mode.

Of course, you must have that option available before you can enable it.

Check with your administrator or Windows manual.

Disable Sharing To Protect Against Gatak.

But only if you know you won’t need it.

And whenever you require sharing features, use password protection and ACL in order to limit access.

Also, make sure that you disable options which allow anonymous access to your shared files and folders.
Only grant access to accounts and users that have a strong password for the folder that everybody needs shared.

Remove All Unnecessary Services. Or Turn Them Off At Least To Protect Against Gatak (Gatak The Trojan Horse ).

Operating systems, by default, install a lot of auxiliary operating system services which are not really critical.

Hackers can take advantage of these services as avenues for a potent attack.
Users should remove these to make sure that hackers have lesser number of avenues for any type of attack.

Block Infected Services To Protect Against Gatak (Gatak The Trojan Horse )

If hackers have already done their dirty work and have exploited some network services, then you need to disable those infected services.

Keep the disabled option to ON until the IT team can come up with a patch for it and applies it.

Make Sure All Patch Levels Are Updated Regularly To Protect Against Gatak 

If they are not up to date then hackers can exploit that weakness.

And computer machines that host important public services must get more attention than others.

If users can access a computer through the system’s firewall then that is also a sign that the computer should have regular patch updates.

Make sure services such as HTTP, DNS, mail, and FTP are all patched up.

Properly Configure Email Servers To Protect Against Gatak 

These must remove and/or block email messages that come with file attachments.

Hackers use these very frequently to spread their malicious code.

If an attachments as has a .scr,.pif,.bat,.vbs,.exe extension then never open it.

Isolate Infected Machines To Protect Against Gatak 

Administrators must disconnect compromised machines from the network as quickly as possible.

This ensures that threats aren’t spread to other computers are well.

Then, one should perform some extensive forensic analysis.

After this, they should restore the infected computers using any trusted media.

Have Trained Employees To Protect Against Gatak 

Let them know that they can’t just open email attachments.

They should only open them when they are expecting some.

Always scan all software applications that the user downloads from the internet.

One should only execute these once the scanner has verified that the file doesn’t contain viruses.

Remember, if you visit a site that hackers have already compromised then that can also cause an infection.

If your web browser isn’t patched up and has certain vulnerabilities, then that presents a great risk.

Make sure everything is updated and patched up.

Disable Bluetooth To Protect Against Gatak 

Let’s speak honestly here.

Nobody needs Bluetooth.

But a lot of people WANT Bluetooth.

If the employees of a company don’t use Bluetooth then the administrator must disable it on the network.

If the user wants to use Bluetooth then make sure that the device has its visibility feature set to the option that says “hidden”.

This will make sure other devices can’t scan the user’s device without permission.

If you or your organization wants to use features such as device pairing, then make sure that all the involved devices have Unauthorized option set to Enabled.

This will require all devices to go through the authentication process for all connection requests.

Sometimes, you will receive applications from unknown and unsigned sources.

Do not accept them.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.