Kaspersky researchers released a detailed analysis of a banking Trojan Gootkit that has an extensive array of capabilities. In a blog post on Securelist blog they analyze a recent sample of Gootkit.
Gootkit is a multi-stage banking Trojan that was discovered in 2014 by Doctor Web, and is still in use in active hacking campaigns, researchers warn. It seized operating after a data leak in 2019 but was active again in November 2020.
After initially using spam campaigns for distributing the Trojan, the attackers shifted to compromised websites where they could trick the users into downloading the malware.
Gootkit is a hijacker malware that can steal data from a web browser. It can also perform various man-in-the-browser attacks, keylogging, taking screenshots and many other actions. Gootkit’s victims are mainly in Europe, many in Germany and Italy.
The Trojan’s loader can perform various virtual machine checks and sandbox checks to prevent analysis by security analysts and enters a loop if it does detect such attempts.
Gootkit is a modular framework that consists of a down-loader component written in C++, registration, spyware, VMX detection and other modules, and a main body in JS (interpreted by Node.js).
The analyzed sample was packed by a custom multi-stage packer. It decrypts the final payload step step by step, the last step being a shellcode that maps the original loader’s contents into memory.
“The last stage is a shellcode that decrypts the original loader executable and maps it into memory. After mapping, the original entry point is called. Hence, we can easily unpack the original executable and analyze it,” researchers wrote.
The injected code is used to perform man-in-the-browser attacks. It injects custom web code and traffic sniffing routines to modify or redirect web traffic.
After unpacking, the loader will download the latest version of the main body from the C&C:
“The loader will download the main body from the C&C, calculate its CRC32 and compare it with the registry payload CRC (if one exists). If the CRCs are different, the loader will execute the newer version downloaded from the C&C.”
When the malware launches, it creates an infinite loop that listens to various internal events and sends the collected data to a C&C server.
The family is detected by various products of Kaspersky as Trojan-Downloader.Win32.Injecter, HEUR:Trojan.Win32.Generic, Trojan-Downloader.Win32.Gootkit, Trojan-Banker.Win32.Gootkit. Kaspersky provided IoCs, MITRE ATT&CK Framework data, Yara rules, and hashes on Financial Threat Intelligence services.