Gootkit is one of the malware families continually being closely tracked by F5 researchers. Our past coverage includes Gootkit activity during its first campaign where it leveraged anti forensics techniques including VM tricks and other anti-research traps done by Gootkit in Tackling Gootkit traps.
The latest Italian-centric Gootkit campaign does not have an exceptional target list. Most of the listed countries were already targeted most heavily for external injection. The industries targeted are mostly banking organizations and some email servers. We speculate this is probably to update its spam lists for possible future campaigns. As referenced in a previous article about Danabot campaign activity in November 2018, both malware variants have started to add email provider targets as default targets.
An additional section of the malware contained a redirection capability, which the malware used to target additional service providers, including antivirus (AV) companies and email providers. Gootkit also targeted specific parts of bank site URLs in order to disrupt regular communication with native banking components to aid in the fraud.