During the last campaign of Gootkit malware, detected by F5 in February 2016, new targets were spotted while analyzing its configuration.

Gootkit, identified in some cases as Waldek, is a banking Trojan that was first seen in the wild around April 2014.

Gootkit is a JavaScript based malware which uses web-injects, recording actions and utilizes a unique persistency mechanism in order to steal user credentials on infected machine.

In this specific configuration, the malware recorded user actions when they are interacting with the login page, those recordings are assumed to be sent over email to the fraudster.

While it was previously reported by “Proofpoint”, that the Gootkit malware started expanding its interest to other geographical areas and assumed that it will keep on this trend, we can currently witness this actual expansion forecast. By analyzing the malware configuration, we’ve noticed it targeting financial institutions from previous reports in Europe such as UK, France, Spain, Italy, Germany, Belgium, Luxemburg, Hungary, Bulgaria and Swiss banks.

From latest investigation we’ve noticed that Gootkit has started to examine new areas around the world, from the Middle East, attacking financial institutions in Israel and Egypt, now also targeting banks in US and Canada, even found targeting Sri Lanka and New Zealand.

clip_image002

Figure 1 Gootkit list of targets

As with other financial Trojans, Gootkit performs preparations by using video recording functionality before it is launching actual attacks on financial institutions websites.

The video recording documents user interaction with the bank’s website, while it can include several options, such as recording time and the frame rate of the video. After a record has been created the file will be uploaded to the C&C.

clip_image004

Figure 2 Gootkit configuration targeting generic "bank" name

Gootkit has an interesting traffic pattern, while communicating over HTTPS using port 80. We just can assume that it is intended to trick some weak firewall rules.

Gootkit communicates with couple of domains defined hardcoded in the infection file.

 fiddler

Figure 3 Gootkit Communication points

In order to avoid detection, the malware rewrites itself under a different file name every hour while deleting the previous version of the file.

To survive a reboot, it adds an “Autorun” registry key in HKEY_CURRENT_USER registry hive, under the \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, which will run the malicious file every time a user logs on to his Windows account.

MD5 Sample: 1002c739e6152d917335c6f46d15e8c5

References:

· https://www.proofpoint.com/us/gootkit-banking-trojan-jumps-channel