Gootkit

Gootkit is a banking Trojan – a malware created to steal banking credentials. In fact, Gootkit is classified as one top sophisticated banking Trojans ever created. It relies on complex anti-evasion and persistence mechanisms, as well as complex techniques like dynamic web injections.

  • Type
    Trojan
  • Origin
    Unknown
  • First seen
    1 June, 2014
  • Last seen
    21 November, 2019
Global rank
21
Week rank
25
Month rank
26
IOCs
107

What is Gootkit malware?

Gootkit is a banking Trojan – a malware created to steal banking credentials. In fact, Gootkit is classified as one top sophisticated banking Trojans ever created. It relies on complex anti-evasion and persistence mechanisms, as well as complex techniques like dynamic web injections.

Since its initial discovery in 2014, Goodkit has been utilized in multiple attacks which targeted bank accounts across Europe, some of which were very destructive.

Gootkit is known to affect the most widely used web-browsers, namely IE, Firefox, and Chrome. Interestingly, this trojan is coded mostly using the node.js programming language – not the first choice when it comes to the majority of operators. What’s more, while a lot of similar malicious programs heavily utilize leaked source code of older samples, Gootkit appears to be written almost 100% from scratch.

General description of Gootkit

The roots of this malware go all the way back to the year 2010 when what can be called the predecessor of Gootkit was first documented. Classified at the time as an information stealer which did not pose a significant danger, Gootkit has since evolved into a full-fledged banking Trojan.

The malware has been documented in its present form of a Trojan since 2014, involved in attacks targeting both private and corporate victims in Europe, mainly targeting banks in France and England, although, Spanish and Italian banks have also been reportedly attacked.

Unlike some other Trojans, Gootkit is not available for sale on the internet. It’s code also hasn’t been leaked and all attacks involving this malware have been carried out by a Russian-speaking group of hackers.

Creators of this Trojan have implemented some of the most cutting-edge anti-evasion tricks to make sure the payload will stay hidden for as long as possible and to prevent successful analysis by cybersecurity researchers. Comprised of two main parts, the dropper and the Trojan itself – Gootkit carries out sandbox checks on every stage of its life cycle. Meaning, that both the dropper and the actual trojan have unique anti-evasion procedures.

Once the dropper makes its way into a machine, it will conduct the initial VM check, making sure that the malware is not being launched in a virtual environment. This is achieved by verifying the system’s processor value inside the Windows Registry by checking for specific names of virtual servers. In addition, BIOS is also checked to find any values which could point at the malware being launched on a VM. If the malware detects that it is not being launched on a real machine, it terminates all activities and connects to the control server to blacklist the endpoint it was launched in.

However, if the initial test is passed, the loader installs the main Gootkit executable which, in turn, repeats some of the previous checks, while adding several new ones. In one of the new checks, the malware checks the whitelist of names admissible for the CPU to determine that a VM name is absent from the list. Following this test, the malware scans to find VMWare, VBOX or SONI values on IDE/SCSI hard drives.

Such thorough virtual machine checks are not the only jack up the sleeve that Gootkit has when it comes to evasion. To increase the success rate of installs, the malware creators frequently make modifications to the Trojan, changing the targeted processes for injections and filetypes of the executable.

For example, instead of running an .exe file, some samples of Gootkit load a DLL directly into a target process. What’s more, while the majority of malware select the explorer.exe process, as their injection target, Goodkit targets a service host (svchost) process instead. Presumably, this is done to further evade detections, since injecting into a process with several instances makes Gootkit easier to hide.

In addition to advanced anti-detection methods, Gootkit employs equally sophisticated persistence techniques to ensure that its deletion from an infected machine will prove as complicated as possible. The malware provides two main persistence mechanisms which are used depending on the available system rights. When launched from an admin account, Gootkit can mymic a Windows service with a random name, which helps to confuse users. This way, it is able to launch before a victim logs on and continue running even after he or she logs off.

However, if launched from a least-privilege user account, the virus writes itself as a scheduled task, also with a random name. This task is programmed to run every minute and on every boot, ensuring that the malware will remain on a machine after antivirus software scans and system reboots.

Gootkit malware analysis

A video of the simulation recorded in the ANY.RUN malware hunting service allows us to take a closer look at the execution of Gootkit and see this malware in action. The video is available here.

gootkit execution process graph

Figure 1: the lifecycle of Gootkit can be viewed in a visual format on the process graph generated by the ANY.RUN online analysis sandbox.

text report of the gootkit malware analysis

Figure 2: This text report available at this link provides more detailed information about Gootkit execution processes, artifacts and more.

Gootkit execution process

Gootkit often gets into the system as an email attachment in the form of a Microsoft Word file. After the user opens the malicious file, it starts Powershell to download the main payload.

It should be noted that in some cases, Gootkit postpones the execution by putting itself in scheduled tasks. After the main payload execution starts, Gootkit unpacks and launches itself. This process provides the main malicious activity - stealing personal information, downloading other malware, grabbing video of the victim’s desktop, hijacking banking credentials, connecting to C2 servers and so on. In the given example Gootkit also uses WMIC.EXE to obtain a list of AntiViruses.

Distribution of Gootkit

Gootkit utilizes multiple attack vectors to infect its victims, including popular exploit kits like Neutrino and Angler, allowing the malware to get into machines with not-up-to-date operating systems.

The second used attack vector is email spam, where Gootkit is delivered to users as a malicious email attachment and social engineering is used to trick the user into downloading the malicious file.

How to avoid infection by Gootkit?

There are several rules of online safety that can be followed to greatly reduce the risk of infection by malware such as Gootkit. For instance, users are advised to install the freshest OS updates, as well as update applications which users utilize on a regular basis.

At the same time, those applications that are rarely opened should be deleted from the machine. In addition, it is advised to disable ads in the browser and avoid visiting suspicious websites. Furthermore, if a private inbox is used at work instead of a corporate one, a user should restrain from sending sensitive information to and from this personal email address.

It should be noted, that opening email attachments in suspicious emails always poses a high risk of injection, therefore users must never run suspicious programs downloaded from emails sent from unrecognized addresses.

How to export data from the analysis of Gootkit malware using ANY.RUN?

If analysts want to do additional work with events from tasks or just want to share them with colleagues thay can export to different formats. Just click on the "Export" button and choose the most suitable format in the drop-down menu

options for export events from tasks with gootkit Figure 3: Options for export events from tasks with Gootkit

Conclusion

Although Gootkit is responsible for a negligible percentage of the overall attacks by financial malware, this Trojan should be considered an extremely high-risk danger. Thanks to its sophisticated persistence and anti-evasion functions, it is capable of potentially very damaging attacks.

What’s more, following the development of this Trojan over the years, it is safe to assume that its evolution will continue and cybercriminals behind the malware will keep producing ways to evade modern security solutions.

That’s why, utilizing the most reliable and cutting edge analysis tools, such as the ANY.RUN malware hunting service can be a key to setting up a secure cyber defense against serious threats like Gootkit.

IOCs

IP addresses
31.214.157.4
185.158.248.133
185.120.144.147
185.158.248.151
31.214.157.248
31.214.157.3
185.158.249.190
194.76.224.108
5.45.127.15
31.214.157.162
185.158.248.226
185.18.52.206
195.245.112.238
185.162.131.101
185.158.249.144
87.120.254.30
51.38.154.26
162.244.35.56
185.120.144.175
185.158.251.115
Hashes
6724391aff802b1911e3e2c1a7268a12ce4e24e7caf882d3d0c53552e43bbd65
c64223741483af87e7bde5b4f6dd2bc9e22ffe15c65670d2d5a1646b0bbe902f
20d12b744bd651c35171626f1ce6d85bd9a3362acfee4f91934da6f7d4414cce
21b292e5e276536f62e8e96e24cfe732a7b746174b7a6b779ebb07fd6dc8c0a1
13a2ee66d2097aeabbc2d07705b6c12fddb4c78133d6e5e70b4fba7d3901b403
d0e32421245da4c65504fd82f200e439f2f7fe97f78974416abbae91f9f9d7ac
0a98f18e5602852de2a00e1d4e4b87a9aa73bada595e14b7d05844aa85a0cb3a
3e846a7316dbc15a38cfd522b14ad3f1a72d79959cbae9fd14621400d77cbc37
edb220c56733b49f0e638aa27d4bb7f3a6d1e76062c95ce914b1d0a84bd873cc
0faa24f8820d92410b9eac0b998d07a8cce0dc207933debf963eabb247c864c0
4fdf174ab09a2364e2e64a3f62c2c17073b9276087267492bcc65c920cfea0d8
bdcbebc4208515b6b2a25fec46e37a8adae873377bf0457eb9cbc4ede0cc6d90
330d872d11b4df61024bed0e4ffa1133651e90488214203125092a446875ab55
88837f754366d7f4f502643a7ab338783a80b0f2e5d2beec6549a47d437451d0
0b2832ea59f659d0f7a9adb1d4542d0c6da2c8b2bf75fd4e7a8a9c91346f4ff9
aa160ae9f27281c38f0c11561deb8de40a20863198e3a7b63477af79090fe415
40771bc72e76bafb0111d297d2d5c4f518c5863119cf1ab354d2d38f35c5c051
ef29e4f3fbdc3ddeb5b4ce652a86d5f64e5d0d8b5094e62b34fd612a5ad9d74a
c18c2e2636ebf84eec95f59b16c3091d02d57ac9f1b9d79fb61e160fb1a32a73
f9b01ed8059ec53d7793226876e7d68cb62c776717907465004e9a0d00c54b68
Domains
majul.com
isns.net
wws.guidemyhunt.com
me.jmitchelldayton.com
edb.raisormotorcompany.com
img.blumenstock.com
web.speakingofhome.com
wws.christinedavies.biz
home.ktxhome.com
home.hopedaybook.com
home.southerntransitions.net
home.selltokengarff.com
home.goteamrob.com
home.isdes.com
you.cypressstakeyouth.com
beta.madeintaylors.com
cofee.theshotboard.net
aweb.theshotboard.info
everettconsidine.com
innerpartswork.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More