Attack Campaign

Gootkit Italian Campaign Overview

The Gootkit banking trojan is still active and protecting itself in Italy using a dedicated redirection defense.
June 18, 2019
2 min read

Gootkit is an advanced banking trojan first discovered in mid-2014. Known for using various techniques to evade detection, the malware also has its own unique methods: it’s partially written in JavaScript and it incorporates the node.js runtime environment.

Gootkit is one of the malware families continually being closely tracked by F5 researchers. Our past coverage includes Gootkit activity during its first campaign where it leveraged anti forensics techniques including VM tricks and other anti-research traps done by Gootkit in Tackling Gootkit traps.

Campaign Overview

The latest Italian-centric Gootkit campaign does not have an exceptional target list. Most of the listed countries were already targeted most heavily for external injection. The industries targeted are mostly banking organizations and some email servers. We speculate this is probably to update its spam lists for possible future campaigns. As referenced in a previous article about Danabot campaign activity in November 2018, both malware variants have started to add email provider targets as default targets.

Figure 1: Gootkit Italian Campaign
Figure 1: Gootkit Italian Campaign

Protective Redirection

An additional section of the malware contained a redirection capability, which the malware used to target additional service providers, including antivirus (AV) companies and email providers. Gootkit also targeted specific parts of bank site URLs in order to disrupt regular communication with native banking components to aid in the fraud.

Figure 2: Redirection by Target
Figure 2: Redirection by Target

The redirection list has a different purpose from a regular injection target list. Gootkit is using this redirection combination to protect the main attack, external injection. Other banking malware uses redirection differently, as part of the attack arsenal against targeted financial services institutions in order to steal money.

An example of protective redirection can be seen below:

Figure 3: Example of Protective Redirection
Figure 3: Example of Protective Redirection

When the victim tries to access any of the targeted URLs (https://cache.inbank.it/https://www.kaspersky, or https://dc.services.visualstudio.com/) this results in the following legitimate 404 window:

Figure 4: Google 404 Page
Figure 4: Google 404 Page

In addition, the Gootkit redirections help keep the malware infection alive in the machine by blocking the user from accessing specific AV sites. This blocking stops communication with the resident AV agents and online support. Gootkit also blocks downloading evaluation versions of software of malware cleaners, such as Malwarebytes.

Interestingly it blocked the option to be download from Cnet.com as well:

Figure 5: Gootkit Protective Redirect Against Cnet
Figure 5: Gootkit Protective Redirect Against Cnet

(We wanted to give an assessment of JS redirection content, but it was not reachable at the time of writing; we can assume by script name it had an output of a blank page response or other misleading action.)

Conclusion

Gootkit remains active by maintaining this campaign of redirection. We’ve noticed multiple configurations targeting the same region for the past year. Gootkit tries to protect itself even after infecting the system from legitimate AV product sites and even from additional known download mirrors. This type of attention to detail proves that this malware means business and is ready to disrupt the inner components of bank sites and other defense tools. Since this malware has declared Italy as part of its attack agenda, we recommend Italian users exercise caution when opening email links, as this is a primary infection vector. Since Gootkit blocks access to AV tools, we also recommend organizations prepare local copies of malware scanning and clean up tools so they can respond quickly in an emergency.

MD5:

6523766972839c645e20c24da11513db
f7d41fc527ffc5b5d5f70d3e42c9f7ff
7dfd903cb33663cf9024866d998a5470

C2:

37[.]10[.]71[.]157
176[.]10[.]118[.]118
194[.]76[.]225[.]28

Preventative
Administrative
  • Ensure your users are aware of the risk of malicious links in emails.
Preventative
Technical
  • Prepare local copies of malware scanning and cleanup tools.
Join the Discussion
Authors & Contributors
Doron Voolf (Author)
Malware Analyst

What's trending?

What Is Zero Trust Architecture (ZTA)?
What Is Zero Trust Architecture (ZTA)?
article 13 min. read
What Is Access Control?
What Is Access Control?
article 15 min. read
What is Multi-Cloud and How Does It Affect Security?
What is Multi-Cloud and How Does It Affect Security?
article 13 min. read