GootKit banking malware was first spotted in 2014 and has since been used in attacks against consumer and business bank accounts in Europe. Its capabilities include infiltrating banking accounts, stealing credentials, and manipulating online banking sessions.
In 2016, attackers behind the GootKit updated the malware with enhanced capabilities such as video-grabbing, virtual machine detection, installation flow modifications for evasion.
GootKit has been distributed via phishing emails as well as exploit kits such as Neutrino, Angler, and RIG.
The three main modules
Gootkit uses three main modules,
- The Loader
- The Main Module
- The Web Injection Module
The loader module is the first-stage of the Trojan which sets up the persistent environment. The main module creates a proxy server which works in conjunction with the new browser injection module.
Researchers noted that Gootkit has shifted from web injection to redirection attacks. This malware redirects victims to a fake website disguised as a banking page, where banking details and credentials are collected from the victims.
MailChimp delivers GootKit
In December 2017, attackers behind GootKit exploited the network of MailChimp to deliver the GootKit trojan. The network was used for almost 4 months to distribute the malware. At that time, MailChimp acknowledged the incident and stated that they are working to fix the issue.
Rubella malware downloads Gootkit
In mid-2018, a crimeware kit dubbed ‘Rubella Macro Builder’ gained popularity. This builder includes various encryption algorithm choices, download methods, payload execution methods. The Rubella-generated malware acts as a first-stage loader for other additional malware downloads.
In April 2018, the Rubella-generated malware downloaded and executed the Panda banking malware version 2.6.6 and the Gootkit banking malware.
Gootkit distributed via JasperLoader
In April 2019, researchers observed a malspam campaign with signed emails that distributed the Gootkit banking trojan via the multi-stage malware downloader called JasperLoader. This malspam campaign primary targeted Central Europe with a focus on Italy and Germany.
In these campaigns, attackers used legitimate certified email services such as Posta Elettronica Certificata (PEC) used in Italy, Switzerland and Hong Kong to send signed emails.
Gootkit distributed via Emotet
Security researchers observed Emotet distributing third-party payloads such as Qbot, The Trick, IcedID, and Gootkit. Researchers also noted that this new version of Emotet loaded its modules for spamming, credential stealing, email harvesting, and spreading on local networks.