Gootkit banking Trojan jumps the Channel

Share with your network!

First documented in mid-2014 [1], the Gootkit banking Trojan appeared to focus solely on customers from several French banks. This JavaScript-based malware combines web-injects (a la Zeus) and a clever persistence technique to create a robust tool for stealing online banking logins and other credentials from users of infected systems. In 2015, Gootkit integrated certain fileless features previously noted in Poweliks [2], and it has also been observed being dropped directly by Angler EK (Fig. 1) or indirectly via Bedep (Fig. 2).

Angler EK dropping Gootkit

Figure 1: Angler EK dropping Gootkit (2014-09-23)

Bedep dropping Gootkit

Figure 2: Bedep dropping Gootkit (2014-12-10)

 

Gootkit has been observed targeting credentials for customers of a range of French financial institutions, including Crédit Mutuel, BNP Paribas, Le Crédit Lyonnais, Crédit Agricole, Société Générale, BTP Banque, and Crédit Coopératif. In March 2015, this distribution expanded to include customers of French and Italian banks through spam campaigns [3] that are still ongoing.

 

Here is an example of an email and accompanying Word doc used to deliver Gootkit to Italian targets in December of 2015.

Email used to deliver Gootkit

Figure 3: Email used to deliver Gootkit (2015-12-14)

Word document used to deliver Gootkit

Figure 4: Word document used to deliver Gootkit (2015-12-14)

 

This expansion continued in late October, as Proofpoint researchers observed Gootkit being dropped by Angler EK through multiple infection paths in Canada. Since 2015-11-26, Gootkit has also been seen dropped in Great Britain via Angler EK at the end of a malvertising infection chain.

 

Gootkit dropped by Angler EK at end of Malvertising chain

Figure 5: Gootkit dropped by Angler EK in Great Britain at the end of a Malvertising chain (2015-12-13)

Snippet of UK-focused injects

Figure 6: Snippet of UK-focused injects tied to sample 58aeefd4700af5cb1db1f5603025a5ec

 

Configs from the UK-focused injects (Fig. 6) show that these latest payloads are attempting to capture information from customers of a range of financial institutions that are based or operate in the UK, including Paypal, Santander, Natwest, Ulster Bank, Royal Bank of Scotland, and Barclays.

 

This expanded targeting follows a trend we have observed in recent months, as threat actors seek to reach new victims by shifting their distribution to new regions and verticals. With Gootkit finally crossing the Channel it would not be surprising to see it in other regions in the near future, as well as to see other malware with limited geographic presence (such as Shifu) jump on this trend.

 

References
 

[1] Analyzing Gootkit's persistence mechanism (new ASEP inside!) - 2015-04-13 - CERTSG - https://www.sentinelone.com/labs/gootkit-banking-trojan-part-2-persistence-other-capabilities/

 

[2] Win32/Xswkit (alias Gootkit) - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669

 

[3] Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority - 2015-03-30 - http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/

 

[4] “Hey Brian, Heya Homer, fancy meeting you here!” – Zeus Gootkit, 2014 AD - 2014-08-07 - CertLexsi https://www.lexsi.com/securityhub/hey-brian-heya-homer-fancy-meeting-you-here-zeus-gootkit-2014-ad/?lang=en

 

 

 

Indicators of Compromise (IOC’s)

File hashes:

6195950991475ec363f53b2c570469512b8e4a1995db73056cff39251c211dff - 2015-08-26 - CAN

a24c9996913ecbe2af183e5ac3d176f869ed62e15a31deb2dc2ea947900432c3 - 2015-11-26 - GBR

cb55bd4ee66ee8fcbda9f0f15192406bb1d089bc72a0f121395fafc8e04cb0e8 - 2015-12-02 - CAN

532bd85487ce3c16654d21c6425f6f728430d50e47e802b332ea82ae0511adca - 2015-12-13 - GBR

3922F2317BE8D0420F1DC938A633B3243D938FC0098A528D70B89C2D2F080C5C - 2015-12-21 - ITA

 

 

C2 server addresses:

swysocki77.com - 138.204.171.103

gorski83.com

ostrowski87.com

jasinski2015.com

olszewski78.com

pozheeshebudem.com

freforevermailtes.com

nidermidertom.com

ecuremailbestfree.com

securewebgooglesite.com

robertpouslen12494.pw - 151.80.201.187

robertpouslen1234524.com

update-service7825t28.com

domolor.com - 108.61.178.212

babosikimne.com - 81.2.241.227

babosikidai.com - 185.86.149.224

vaillantsawer.com - 198.96.89.181 185.82.202.38

proballansmen.com

reputamadrell.com

lastrizariano.com

rokobarokkino.com

artipreambulo.com

trequablaster.com

pretriquestro.com

rebellintosto.com

mellicianactr.com

abc.doitgraphic.org - 198.71.232.3
updatebase.bid
shop.lifexcellence.org

 

 

ET Open and Pro rules:

2022257  || ET TROJAN Possible Gootkit CnC SSL Cert M5

2022256 || ET TROJAN Possible Gootkit CnC SSL Cert M4

2022255 || ET TROJAN Possible Gootkit CnC SSL Cert M3

2022253 || ET TROJAN Possible Gootkit CnC SSL Cert M1

2019907 || ET CURRENT_EVENTS Gootkit SSL Cert Dec 10 2014

2022259 || ET TROJAN Possible Gootkit CnC SSL Cert M7