Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
Gootkit: the cautious Trojan
Gootkit: the cautious Trojan
harlan4096 Online
MalWare Zoo Team
*******
Posts: 15,812
Threads: 10,138
Thanks Received: 9,300 in 7,446 posts
Thanks Given: 10,214
Joined: 12 September 18
#1
Bug  08 June 21, 09:32
Quote:
[Image: shutterstock_1304177452-1200x600.jpg]

Gootkit is complex multi-stage banking malware that was discovered for the first time by Doctor Web in 2014. Initially it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where the visitors are tricked into downloading the malware.

Gootkit is capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots and lots of other malicious actions. Its loader performs various virtual machine and sandbox checks and uses sophisticated persistence algorithms. In 2019, Gootkit stopped operating after it experienced a data leak, but has been active again since November 2020.

Gootkit’s victims are mainly located in EU countries such as Germany and Italy. In this article we analyze a recent sample of Gootkit.

Technical DetailsGootkit consists of a (down)loader component written in C++ and the main body written in JS and interpreted by Node.js. The main body is a modular framework, containing registration, spyware, VMX detection and other modules.

LoaderThe sample (MD5 97713132e4ea03422d3915bab1c42074) is packed by a custom-made multi-stage packer which decrypts the final payload step by step. The last stage is a shellcode that decrypts the original loader executable and maps it into memory. After mapping, the original entry point is called.

Hence, we can easily unpack the original executable and analyze it. We detect the Gootkit loader with the verdicts listed in the table below.

MD5 SHA-1 Verdict
97713132e4ea03422d3915bab1c42074 a90c6e7c5650e73ceb0b329fa8c78045632100eeTrojan-Downloader.Win32.Injecter
27626f2c3667fab9e103f32e2af11e84 6e9e30c699c7111089fe364ce47f1dc05c8bc703HEUR:Trojan.Win32.Generic

Most of the strings are encrypted using XOR encryption and are decrypted at runtime. No other techniques are used to complicate static analysis.

However, to make dynamic analysis more difficult, the Gootkit loader employs lots of different methods to detect virtual environments or debuggers. If any of the virtual machine checks succeed, the loader enters an infinite loop.
...
Continue Reading
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Intel Arc G3 Panther Lake series for han...
Intel G3 with LPDD...harlan4096 — 07:32
Core Ultra 7 270K Plus and Ultra 5 250K...
Intel reportedly ‘ca...harlan4096 — 11:27
Core Ultra 7 270K Plus and Ultra 5 250K ...
Intel’s Core Ultra...harlan4096 — 11:09
Adobe Acrobat Reader DC 2025.001.21184
Adobe Acrobat Read...harlan4096 — 10:45
Manjaro Linux 26.0.2 Build 260206
Manjaro Linux 26.0...harlan4096 — 17:06

[-]
Birthdays
Today's Birthdays
avatar (49)tsorenHievy
Upcoming Birthdays
avatar (47)hapedDow
avatar (46)komriwat
avatar (38)showercurtains
avatar (49)PeterWhink
avatar (50)neuthrusBub
avatar (30)script6027529171
avatar (46)myhotseeve
avatar (46)Edwinmub
avatar (46)dimaWeami
avatar (41)svoyaEnuct
avatar (39)TranoTymn
avatar (39)MezirLal
avatar (50)listfquoto
avatar (46)dima6sarPrave
avatar (38)Michaelaburi
avatar (46)dpascoal
avatar (51)Ronaldduh
avatar (39)legalgauch
avatar (44)Baihu
avatar (27)RaseinsLikes

[-]
Online Staff
There are no staff members currently online.

>