Gootkit is complex multi-stage banking malware that was discovered for the first time by Doctor Web in 2014. Initially it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where the visitors are tricked into downloading the malware.
Gootkit is capable of stealing data from the browser, performing man-in-the-browser attempts, keylogging, taking screenshots and a lot of other malicious acts. Its loader performs various virtual machine and sandbox checks and uses sophisticated perseverance algorithms. In 2019, Gootkit stopped operating after it experienced a data leak, but has been active again since November 2020.
Gootkit’s victims are chiefly located in EU countries such as Germany and Italy. In this article we analyze a recent sample of Gootkit.
Gootkit consists of a( down) loader component be drawn up in C ++ and the main body written in JS and interpreted by Node.js. The main torso is a modular framework, containing registration, spyware, VMX detection and other modules.
The sample( MD5 97713132e4ea03422d3915bab1c42074) is packed by a custom-made multi-stage packer which decrypts the final warhead step by step. The last stage is a shellcode that decrypts the original loader executable and maps it into remembrance. After mapping, the original enter point is called. Hence, we can easily unpack the original executable and analyze it. We see the Gootkit loader with the verdicts listed in the table below.
MD5 SH-A1 Verdict
Most of the strings are encrypted employing XOR encryption and are decrypted at runtime. No other techniques are used to complicate static analysis.
However, to make dynamic analysis more difficult, the Gootkit loader applies lots of different methods to detect virtual environments or debuggers. If any of the virtual machine checks succeeded, the loader enters an infinite loop.
Sample name check
Full list of VM detection techniques used by the malware 😛 TAGEND
Check Prohibited value
CRC3 2 of sample epithet 0xBC136B46, 0xD84A20AC, 0xEED889C4, 0x58636143, 0xC0F26006, 0x8606BEDD, 0xE8CBAB78, 0x2AB6E04A, 0x31E6D1EA
GetModuleHandle dbghelp.dll, sbiedll.dll
GetUserName CurrentUser, Sandbox
GetComputerName SANDBOX, 7SILVIA
HKEY_LOCAL_MACHINE \ HARDWARE \ DESCRIPTION \ SystemBiosVersion FTNT1, INTEL-6 04000, SMCI, QEMU, VBOX, BOCHS, AMI, SONI
HKEY_LOCAL_MACHINE \ HARDWARE \ DESCRIPTION \ VideoBiosVersion VirtualBox HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ SystemBiosVersion 55274-640-2673064-23950( Joe Sandbox ), 76487 -6 44 -3 177037 -2 3510( CWSandbox ), 76487 -3 37 -8 429955 -2 2614( Anubis Sandbox)
HKEY_LOCAL_MACHINE \ HARDWARE \ DESCRIPTION \ System \ CentralProcess \ 0 \ ProcessorNameString Xeon _MEMORYSTATUSEX. ullTotalPhys Less than 2100000000
UuidCreateSequential( such functions is based on computer MAC address so return value determines whether trojan is running in sandbox or not) 0xF01FAF00( Dell Inc .), 0x505600( VMWare, Inc .), 0x8002700( PCS System Technology GmbH ), 0xC2900 VMWare, Inc .), 0x56900( VMWare, Inc .), 0x3FF00( Microsoft ), 0x1C4200( Parallels ), 0x163E00( XenSource)
CRC3 2 of operating process names 0xAEA3ED09, 0x2993125A, 0x3D75A3FF, 0x662D9D39,
0x922DF04, 0xC84F40F0, 0xDCFC6E80
When the sample starts, it checks the command line contentions. The available statements set out below 😛 TAGEND
Argument Description -client no handler
-server no handler
-reinstall iterate over running processes( where process is a loop variable) and kill all processes where process.pid is not equal to current process PID and process.name equals current filename. After that, facsimile self and operate via CreateProcessW
-service set environment variable USERNAME_REQUIRED= TRUE
-test stop executing
-vwxyz download main torso from C& C
After the command line arguings are handled, the sample checks if it’s running inside a virtual machine or being debugged. If not, it decrypts the configuration and starts four threads.
Thread start routine
The first weave that is started tries to download a loader update from
CRC3 2 Browser name 0xC84F40F0 Chrome 0x662D9D39 Firefox 0x922DF04 Internet Explorer
0x2993125A Microsoft Edge( MicrosoftEdgeCP.exe)
0x3D75A3FF Opera 0xDCFC6E80 Safari 0xEB71057E unknown
The injected code is called from the main body web injection and traffic sniffing routines to perform a man-in-the-browser attack. To do so, the code patches standard browser roles responsible for certificate validation to allow self-signed certificates. As a make, attackers are able to inject custom JS code and modify or redirect traffic. Persistence_service If a sample is pour under LOCAL_SYSTEM account, the Gootkit persistence mechanism abuses the pending GPO Windows feature. When a consumer modifies Pending GPO registry values, he/ she has to specify the following parameters 😛 TAGEND
counting- 0x1 path1-. inf file locating Section1- DefaultInstall
INF file content
Now explorer.exe will load the Group Policy Objects( GPO) whenever it is loaded. Gootkit creates a pending GPO for the Internet Explorer Administration Kit( IEAK ), which points immediately at the INF file. When explorer.exe is loaded at runtime, it will execute the[ DefaultInstall] within the made file, which will operate the Gootkit executable.
If the sample is running under another report, it creates a service with a random epithet chosen from% SystemRoot %, facsimiles itself into the% SystemRoot% folder with the selected epithet and deletes itself from the disk. Stop_switch The thread looks for a file named uqjckeguhl.tmp in the \ AppData \ Local \ Temp and \ Local Settings \ Temp folders. When the file is received, the malware will stop.
Main body download
Before downloading the main torso from the C& C, the loader tries to find registry keys with the following format: HKCU \ Software \ AppDataLow \
Each key contains a maximum clump of 512, 000 bytes( 500 KB) of encrypted data. If the aforementioned keys were found, their contents will be saved in a freshly apportioned buffer( used for decryption and decompression ). The buffer is then decrypted utilizing the same function used for decrypting the configuration, after which the buffer is decompressed.
After the unpacking routine, the loader will download the main body from the C& C, calculate its CRC3 2 and compare it with the registry warhead CRC( if one exists ). If the CRCs are different, the loader will execute the newer version downloaded from the C& C. The C& C server will not send the DLL module without the appropriate UserAgent header that is hardcoded into the sample. The current hardcoded value is: Mozilla/ 5.0( Windows NT 6.1; Win6 4; x64; rv: 25.0) Gecko/ 2100610 1 Firefox/ 25.0.
Information about the embedded modules is presented in an array of special file structures that have the following terms: BYTE* name_pointer, BYTE* encrypted_data, DWORD data_size, DWORD encr_flag. These structures are used within the decryption routine that reads data_size bytes starting from encrypted_data. This routine decrypts encrypted_data if encr_flag is set and writes the result into a file with epithet* name_pointer. The decryption routine iterates over all entries in the file datum array. Then the decryption execution is transferred to the Node.js interpreter.
File datum array
Malware.js initializes world bot variables, compiles saved cookies( IE, Firefox, Chromium) and iterates over a listing of servers to find an available C& C.
When the malware detects a C& C server, it launches an infinite loop-the-loop that listens to different internal malware events( some routines like cookie collection start without C& C request upon bot startup) and mails the collected data to the C& C via special formatted packets. The malware also listens to the C& C commands and invokes the appropriate handler on each command. To communicate with the modules, the malware uses following packet types 😛 TAGEND
Internal epithet Description SLAVE_PACKET_API_TAKESCREEN Send screenshot to C& C
SLAVE_PACKET_MAIL Send received email info
SLAVE_PACKET_LOGLINE Send log
SLAVE_PACKET_LSAAUTH Send authentication credentials
SLAVE_PACKET_PAGE_FRAGMENT Send web injects data
SLAVE_PACKET_FORM Send grabbed shape data
SLAVE_PACKET_LOCAL_VARS Send local bot variables
SLAVE_PACKET_SECDEVICELOG Send secure device event log
SLAVE_PACKET_KEYLOG Send keylogger data
SLAVE_PACKET_WINSPYLOG Send current active window
There are six types of internal event handlers and coinciding packet formats.
The general packet arrangement is as follows 😛 TAGEND
Length+ 8( 4 bytes) Packet magical( 0xEDB88320 XOR length +8) Packet data( different for each package kind, serialized applying protobuf) Packet sorcery
Packet generation routine
Kaspersky products see this family as Trojan-Downloader.Win3 2. Injecter, HEUR: Trojan.Win3 2. Generic, Trojan-Downloader.Win3 2. Gootkit, Trojan-Banker.Win3 2. Gootkit. All more detailed information, IoCs, MITRE ATT& CK Framework data, Yara rules and hashes related to this threat are available to the users of our Financial Threat Intelligence services. To learn more about threat hunting and malware analysis, check out expert training by Kaspersky’s GReAT.
Indicators of compromise
Main body( same since 2019) 20279d99ee402186d1e3a16d6ab9398