BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
52
Global rank
80 infographic chevron month
Month rank
72 infographic chevron week
Week rank
545
IOCs

Gootkit is an advanced banking trojan. It is extremely good at evading detection and has an incredibly effective persistence mechanism, making it a dangerous malware that researchers and organizations should be aware of.

Trojan
Type
Unknown
Origin
1 June, 2014
First seen
20 April, 2024
Last seen
Also known as
Waldek
Xswkit
Talalpek

How to analyze Gootkit with ANY.RUN

Type
Unknown
Origin
1 June, 2014
First seen
20 April, 2024
Last seen

IOCs

IP addresses
217.145.84.64
66.33.211.237
167.172.154.244
31.214.157.162
216.218.185.162
31.184.192.163
31.184.192.173
31.184.192.234
31.184.193.179
216.218.208.114
185.158.248.133
185.238.168.110
185.44.105.78
85.214.228.140
5.61.34.67
216.218.135.114
37.1.207.160
87.120.254.39
45.150.108.213
77.105.36.53
Hashes
5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468
c18c2e2636ebf84eec95f59b16c3091d02d57ac9f1b9d79fb61e160fb1a32a73
d5aeed584ea7bbb1aa14a303fdaff373e71205a9a89d9d374d22b5da20049560
090a960c1c844534cf3fffadda9a9f20174db54e5621700eb3e76dd8a8da86b0
f47e8187c9a9f7d0a134b82f4cf4ce5bfd134249b0cbbe63ed96a58b9200627d
89e1451a8a8b9096c085d93d607b3aed917df694519127187850f794817710e4
2664f51502c3fdb91a1a07d6bf012ac53d5f39d85d73e2e77cd026cc8d2d6027
b41af3e559c7e5f83d78ec176f080cc1aa0ae4759ef9e511d48eead6d73c45f6
50d3a4c96a91e2c41c66a5b190f489c87fb577be7ee6a5eb85a7bdef38e4cd65
78eafc271db5965c5b6e2a7b6ec49986ba9e2f85e4e9a88c2a64b1de2612bc1e
c86da0c50397d85410febab8242e6dde54748c1b17d8737a8b862d214565d4cb
b2cfdf45be295a1495beb380d7227d1a3f9cea999f33be898d642438870a2f47
353ba1044e1f057652bef36b3fa4c97630add2ea3e98dcf98de8bf2d56f03d96
422ae972e10d99155e664bf6e2c17933d89dc1d512fc78d10c9e669cda2906a1
2923f38e771bc61a7f64886179ab2d0e363992cd6b15ba3fdf6091d3146e6274
b03c0d9a936644e05ec1abb6463bca88cf6300d31c60138037bd951af676db6d
739d0d3b127dc05ab73d571eb92d766b96a0ac3a0c0f1372a062565d27a69605
b5fcd1792160f2f22bad2ed5bf5536b61ab16abe03e4af79f8a9fbf32dc5f9b1
9ea4a2c13003aff75c32fb381d9c292877df178e343088b807b2cfe9fd376df5
ea0bc812663fc5a49e44651af0d1f4226d69faf14c80d6cc4e8ec4cc82d12717
Domains
ricci.bikescout24.fr
my-game.biz
capfaregreem.eu
box.therusticsandbox.com
vancouverislandprocessor.com
jmitchelldayton.com
dmqxmz.lowashemterle.top
vinsethteas.com
babosikidai.com
sph.expoartshop.com
web.cfmontessori.com
ecuremailbestfree.com
martatov.top
kerymarynicegross.com
drive.gstroop4822.org
kvaladrigrosdrom.top
kerymarynicegross.top
it.goodvibeskicking.com
pro.prosperitybookkeeping.net
pretriquestro.com
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 51
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 723
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 570
comments 0

What is Gootkit malware?

Gootkit is a banking trojan – a malware created to steal banking credentials. In fact, Gootkit is classified as one top sophisticated banking trojan ever created. It relies on complex anti-evasion and persistence mechanisms, as well as complex techniques like dynamic web injections.

Since its initial discovery in 2014, Gootkit has been utilized in multiple attacks that targeted bank accounts across Europe, some of which were very destructive.

Gootkit is known to affect the most widely used web-browsers, namely IE, Firefox, and Chrome. Interestingly, this trojan is coded mostly using the node.js programming language – not the first choice for most operators. What’s more, while many similar malicious programs heavily utilize leaked source code of older samples, the virus appears to be written almost 100% from scratch.

General description of Gootkit

The roots of this malware go all the way back to 2010 when what can be called the predecessor of Gootkit was first documented. Classified at the time as an information stealer which did not pose a significant danger, Gootkit has since evolved into a full-fledged banking V.

The malware has been documented in its present form of a trojan since 2014, involved in attacks targeting both private and corporate victims in Europe, mainly targeting banks in France and England. However, Spanish and Italian banks have also been reportedly attacked.

Unlike some other trojan, Gootkit is not available for sale on the internet. Its code hasn’t been leaked, and a Russian-speaking group of hackers has carried out all attacks involving this malware.

Creators of the Gootkit trojan have implemented some of the most cutting-edge anti-evasion tricks to ensure the payload will stay hidden for as long as possible and prevent successful analysis by cybersecurity researchers. Comprised of two main parts, the dropper and the trojan itself – the virus carries out sandbox checks on every stage of its life cycle. Meaning that both the dropper and the actual trojan have unique anti-evasion procedures.

Once the dropper makes its way into a machine, it will conduct the initial VM check, making sure that the malware is not being launched in a virtual environment. This is achieved by verifying the system’s processor value inside the Windows Registry by checking for specific names of virtual servers. In addition, BIOS is also checked to find any values which could point at the malware being launched on a VM. If the malware detects that it is not being launched on a real machine, it terminates all activities and connects to the control server to blacklist the endpoint it was launched in.

However, if the initial test is passed, the loader installs the main Gootkit executable, which, in turn, repeats some of the previous checks while adding several new ones. In one of the new checks, the malware checks the whitelist of names admissible for the CPU to determine that a VM name is absent from the list. Following this test, the malware scans to find VMWare, VBOX, or SONI values on IDE/SCSI hard drives.

Such thorough virtual machine checks are not the only jack up the sleeve that Gootkit has regarding evasion. To increase the success rate of installs, the malware creators frequently make modifications to the generic trojan, changing the targeted processes for injections and filetypes of the executable.

For example, instead of running an .exe file, some samples of Gootkit load a DLL directly into a target process. What’s more, while the majority of malware select the explorer.exe process as their injection target, Gootkit targets a service host (svchost) process instead. Presumably, this is done to further evade detections since injecting into a process with several instances makes Gootkit easier to hide.

In addition to advanced anti-detection methods, Gootkit malware employs equally sophisticated persistence techniques to ensure that its deletion from an infected machine will prove as complicated as possible. The malware provides two main persistence mechanisms, which are used depending on the available system rights. When launched from an admin account, Gootkit can mimic a Windows service with a random name, which helps to confuse users. This way, it can launch before a victim logs on and continues running even after logging off.

However, if launched from a least-privilege user account, the virus writes itself as a scheduled task and a random name. This task is programmed to run every minute and on every boot, ensuring that the malware will remain on a machine after antivirus software scans and system reboots.

Gootkit malware analysis

A video of the simulation that was recorded in the ANY.RUN malware hunting service allows us to perform an analysis of the execution of Gootkit and see this virus in action as well as Danabot or Pony. Moreover, you can investigate the vast malware database in the public submissions, too. The video is available here.

gootkit execution process graph

Figure 1: the lifecycle of Gootkit can be viewed in a visual format on the process graph generated by the ANY.RUN online analysis sandbox.

text report of the gootkit malware analysis

Figure 2: This text report is available at this link provides more detailed information about Gootkit execution processes, artifacts, and more.

Gootkit execution process

Gootkit often gets into the system as an email attachment in the form of a Microsoft Word file. After the user opens the malicious file, it starts Powershell to download the main payload.

It should be noted that in some cases, Gootkit postpones the execution by putting itself in scheduled tasks. After the main payload execution starts, Gootkit unpacks and launches itself. This process provides the main malicious activity - stealing personal information, downloading other malware, grabbing video of the victim’s desktop, hijacking banking credentials, keys loading, connecting to C2 servers, and so on. In the given example, Gootkit also uses WMIC.EXE to obtain a list of AntiViruses.

Distribution of Gootkit trojan loader

Gootkit utilizes multiple attack vectors to infect its victims, including popular exploit kits like Neutrino and Angler, allowing the malware to get into machines with not-up-to-date operating systems.

The second used attack vector is email spam, where Gootkit is delivered to users as a malicious email attachment. Social engineering is used to trick the user into downloading the malicious file.

How to avoid infection by Gootkit?

Several online safety rules can be followed to greatly reduce the risk of infection by malware such as Gootkit. For instance, users are advised to install the freshest OS updates and update applications that users utilize regularly.

At the same time, those applications that are rarely opened should be deleted from the machine. In addition, it is advised to disable ads in the browser and avoid visiting suspicious websites. Furthermore, if a private inbox is used at work instead of a corporate one, a user should restrain from sending sensitive information to and from this personal email address.

It should be noted that opening email attachments in suspicious emails always poses a high risk of injection. Therefore users must never run suspicious programs downloaded from emails sent from unrecognized addresses.

How to export Gootkit data using ANY.RUN?

If the analyst wants to do additional work with events from tasks or share them with colleagues, they can export to different formats. Just click on the "Export" button and choose the most suitable format in the drop-down menu.

options for export events from tasks with gootkit Figure 3: Options for export events from tasks with Gootkit

Conclusion

Although Gootkit is responsible for a negligible percentage of the overall attacks by financial malware, this trojan should be considered an extremely high-risk danger. Thanks to its sophisticated persistence and anti-evasion functions, it is capable of potentially very damaging attacks.

What’s more, following the trojan development over the years, it is safe to assume that its evolution will continue. Cybercriminals behind the malware will keep producing ways to evade modern security solutions.

That’s why utilizing the most reliable and cutting edge analysis tools, such as the ANY.RUN malware hunting service can be a key to setting up a secure cyber defense against serious threats like Gootkit. Check the service's malware database to find out about other malicious programs.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy