Kaspersky Released Analysis of Banking Trojan Gootkit

Kaspersky Released Analysis of Banking Trojan Gootkit

Kaspersky researchers released a detailed analysis of a banking Trojan Gootkit that has an extensive array of capabilities. In a blog post on Securelist blog they analyze a recent sample of Gootkit.

Gootkit is a multi-stage banking Trojan that was discovered in 2014 by Doctor Web, and is still in use in active hacking campaigns, researchers warn. It seized operating after a data leak in 2019 but was active again in November 2020.

After initially using spam campaigns for distributing the Trojan, the attackers shifted to compromised websites where they could trick the users into downloading the malware.

Gootkit is a hijacker malware that can steal data from a web browser. It can also perform various man-in-the-browser attacks, keylogging, taking screenshots and many other actions. Gootkit’s victims are mainly in Europe, many in Germany and Italy.

The Trojan’s loader can perform various virtual machine checks and sandbox checks to prevent analysis by security analysts and enters a loop if it does detect such attempts.

Gootkit is a modular framework that consists of a down-loader component written in C++, registration, spyware, VMX detection and other modules, and a main body in JS (interpreted by Node.js).

The analyzed sample was packed by a custom multi-stage packer. It decrypts the final payload step step by step, the last step being a shellcode that maps the original loader’s contents into memory.

The last stage is a shellcode that decrypts the original loader executable and maps it into memory. After mapping, the original entry point is called. Hence, we can easily unpack the original executable and analyze it,” researchers wrote.

The injected code is used to perform man-in-the-browser attacks. It injects custom web code and traffic sniffing routines to modify or redirect web traffic.

After unpacking, the loader will download the latest version of the main body from the C&C:

“The loader will download the main body from the C&C, calculate its CRC32 and compare it with the registry payload CRC (if one exists). If the CRCs are different, the loader will execute the newer version downloaded from the C&C.”

The main body is a Node.js interpreter that stores encrypted JavaScript files. It uses an RC4-like algorithm to decrypt the files on startup.

When the malware launches, it creates an infinite loop that listens to various internal events and sends the collected data to a C&C server.

The family is detected by various products of Kaspersky as Trojan-Downloader.Win32.Injecter, HEUR:Trojan.Win32.Generic, Trojan-Downloader.Win32.Gootkit, Trojan-Banker.Win32.Gootkit. Kaspersky provided IoCs, MITRE ATT&CK Framework data, Yara rules, and hashes on Financial Threat Intelligence services.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.