Threat Spotlight: Gootkit Banking Trojan

Gootkit is a sophisticated banking Trojan which can perform various malicious activities such as: web injection, taking screenshots, video recording, email parsing, and so on. Gootkit emerged during the summer of 2014 but is still active, making it a viable threat to financial institutions to this day.

BlackBerry most recently observed a Gootkit campaign via AZORult infostealer malware in February, March, and April of 2019. Our monitoring revealed the threat actor changed Gootkit hosting domain names constantly and created Gootkit variants almost daily. Its core module contains several JavaScript files and the node.js runtime environment, so as a result, its file size tends to be large. In fact, our analyzed sample was over 6 MB.

This technical blog covers information on the Gootkit/AZOrult campaign and presents the results of our latest analysis. While we found a few dozen Gootkit samples, we focused on the latest samples (a3c243afceb1fb38f25ae81816891d7d7c11ae76e80a43f31d2ceb9833f2f3df). This variant aimed to steal login accounts from users of five French banks.

Technical Analysis

Gootkit via AZORult

In a previous blog on AZORult, BlackBerry examined the protocol used by the malware to communicate with command-and-control (C2) servers. We implemented a custom scanner to monitor the C2 servers and download and parse configuration settings. The scanner caught some Gootkit campaigns via AZORult occurring on the dates below:

1. Feb. 9 2019 - Feb. 11 2019,
2. Feb. 15 2019 - Mar 7 2019.
3. Mar. 12 2019 - Mar 13 2019.
4. Mar. 31 2019 - Apr. 1 2019.

The threat actor generated Gootkit variants almost every day and used a variety of malware hosting domain names. For more detail of the campaign information, see Table 1 and Table 2:

Table 1: Gootkit campaign from ssl[.]admin[.]itybuy[.]it (an AZORult C2 server)

Table 2: Gootkit campaign from triangularty[.]com (an AZORult C2 server)

Loader and Core DLL Module

Gootkit has two modules: the loader and the core DLL module, as shown in Figure 1 below. The loader is used for evasion, persistence, and downloading the core DLL module. Once the loader downloads the core DLL module, Gootkit can perform malicious actions such as:

• Web injection
• Key logging
• Launching VNC server
• Recording video

Figure 1: Two modules of Gootkit: Loader and Core DLL Module

Evasion

Gootkit uses many evasion techniques, including anti-VM (virtual machine), anti-debug, and anti-sandbox. It performs the following evasive activities:

1.    Check loaded DLL files related to Sandbox technology and debugging by detecting the following strings:
          a.    dbghelp.dll (Windows standard debugger’s module)
          b.    sbiedll.dll (software Sandboxie’s module)

2.    Check usernames by detecting the following strings:
          a.    CurrentUser
          b.    Sandbox

3.    Check computer names by detecting the following strings.
          a.    SANDBOX
          b.    7SILVIA

4.    Check registry keys related to the Hardware BIOS information by detecting the strings shown in Table 3:

Table 3: Registry check for evasion

Hardware SystemBiosVersion checking code is shown in Figure 2:

Figure 2: Hardware SystemBiosVersion check for evasion

In addition, the evasive techniques are anti-forensic. Meaningful strings shown in Table 3 are stored in temporary heap memory. At the end of this evasion function, the allocated heap memory is released by using RtlFreeHeap and HeapFree (see Figure 3). The purpose of the evasion is to make memory forensics more difficult to perform:

Figure 3: Erasing meaningful strings with RtlFreeHeap and HeapFree API  

Persistence

Gootkit uses Pending GPO (see Figure 4) to relaunch the malware after reboot. First, it drops an .inf file under the same directory as the Trojan file. The base filename of the INF file is the same as the malware file. For example, if the filename of Gootkit is “igfpers.exe”, the .inf file name is “igfpers.inf”:

Figure 4: An .inf file created by Gootkit

Gootkit then creates three registry values: “Count”, “Path1”, and “Section1” under “HKCU\Software\Microsott\IEAK\GroupPolicy\PendingGPOs” as shown in Figure 5. “Path1” contains the full path of the .inf file and “Section1” refers to a section name (“DefaultInstall”) written in the .inf file:

Figure 5: Registry values for its persistence

Core DLL Module Installation

Gootkit loader launches itself using the “--vwxyz” options. It then downloads an encoded DLL module from the C2 server and injects it into a Gootkit process. The C2 server will not send the DLL module without the appropriate “UserAgent”. Once it receives a valid response from the C2 server, Gootkit splits the encoded DLL module into chunks. Each chunk size is 512,000 bytes (at most) and is saved under “HKCU\Software\AppData\Low\finget_{index number}” (See Figure 6). After reboot, Gootkit loads the data from registry keys and concatenates all chunks into an encoded DLL. This results in the core DLL module becoming fileless:

Figure 6: Registry values for its persistence

The DLL module is decrypted and decompressed by “RTLDecompressBuffer”. Gootkit then allocates a new memory section to the current process and copies it into the allocated memory.

The DLL module contains JavaScript files for performing malicious activity. During our investigation, we found over a hundred embedded JS files. Most of them are innocent (Node.js library). However, some JavaScript files are intended for malicious purposes such as “malware.js”, “spyware.js”, “zeusmask.js”, and so on. Malicious JavaScript codes are responsible for backdoor functions which allow Gootkit to:

• Update the DLL
• Launch VNC server
• Capture keystrokes
• Inject malicious scripts for stealing online banking credentials
• Record video
• Steal email
• Perform other malicious actions

In addition, a JavaScript file is designed to detect VM environments (Figure 7):

Figure 7: VM check

Banking Trojan

The DLL module receives web injection code from its C2 server and tries to steal login accounts from victims who used five French banks. Figure 9 shows a code snippet of web injection script. The threat monitors the victim’s web browser and steals credentials when the French banks are accessed. The link at the bottom of Figure 8 stored a French-bank-specific script:

Figure 8: A web injection script against a French bank

A JavaScript code targeting one French bank was also able to steal PIN numbers.

Cautious users might choose to use a software keyboard to input sensitive information on online banking websites. However, Gootkit displays a fake software keyboard designed to steal user input (and the victim’s PIN number).

Conclusion

This blog covered a Gootkit campaign that spread using AZORult infostealer. During this campaign, attackers constantly changed the hash values of Gootkit and the hosting URLs. Based upon our monitoring, the campaign was active between February and April 2019. The sample we analyzed was aimed at stealing banking information from users of five French banks. Gootkit is still being actively used against victims in EU regions.

If you are using BlackBerry’s endpoint protection solution CylancePROTECT®, you are proactively protected from Gootkit. Blackberry uses artificial intelligence-based agents trained for threat detection on millions of both safe and unsafe files. Our automated security agents block Gootkit based on countless file attributes and malicious behaviors instead of relying on a specific file signature. CylancePROTECT, which offers a predictive advantage over zero-day threats, is trained on and effective against both new and legacy cyberattacks. 

For more information visit https://www.cylance.com and https://www.blackberry.com/us/en.

Appendix

Indicators of Compromise (IOCs)

• Hashes
  o   Gootkit loader:
  • a3c243afceb1fb38f25ae81816891d7d7c11ae76e80a43f31d2ceb9833f2f3df        
  • c1ae38afb6c82b9107868d66318095f1c00f1e92dddc0ee953c23a8de4ace353
  • 5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468
  • d5ba0f1c01cf12f57cca93996d2f87191c9420afbbd116d3757060d780338d29
  • e70a9cfd7c9f1a23d00cdc5eba866ea6c80a4a555498f8d0feba58a765b9aa39
  • 729502b7b074e55f1e7d364ae391704376480a28081ca0d7eba4495fca3b1367
  • fcbe6c55b2b092b1d97aa2d8a9ac6f3565b10c47ae7d59b08552d0e2ee11d102
  • 212aeaf6cec0884743c2c3079dab17eb581dc28329be3e023f62c751cd01169f
  • 983b39b339bc62a09c20ea2f1b1360e17bf9431587e2a257ec4f3a62b4489ff4
  • fb05723ac5960a5776d7432429998d4a48a3f7e74761046352c16712208bd983
  • 81a2c4c708c13338ed7aac439aa876c5e1d2116afb23e7cf8a345a05ebd55eed
  • 3974b0985d524dd38a9d040c9eaf880c421411210e0bdd577ac2306f6471a413
  • ab54b89a75ee9d858b734e927ff16aef3d5c8137552c9973864d7eed8aa5e472
  • 9f6881386d0ff9a0cd2bc49da21b999d13e4ebdc858bdad755ee26898c567a3d
  • 6c2d6abc2e130092f414d4f64adeb22dac56e8f802d4250c84db62a563bf99ec
  • 5eb54a536d9b560b79c7113efa5eebcbe21e9aede3f751d14a98b38c829a53b5
  • e67ec7af646f6b9bdfe59e3549f84bd3071c72386de57e9a9a5fe58982dbdd49
  • 6a9b222b7be97ed608bcbef6dc05cff9fb16ae9a31a08e719857cad6146dc8d7
  • 1b052c6d721f4dc36b3e58192ac6c664d43aec8f15fcd2a8f91616f705192ebb
  • 2a1dd210ed71e33e58aadd9157eebb35ad38eb70cb182d244a8f9879f195b930
  • 6b19c0ec581ca24ef2a35d37af523ab2af19740585ad653d98593a057268e01c
  • d01defb4fe8db26ea0151afa1c4e817db1aba1c8464127110f7ef860164ed79a
  • b9440e407b971def1d8a3d19c2da0e81145aad4b29e51602fc11f566e9854537
  • 1d62fec40f14dd0458556f0211529df88d19fe0249d195d6153388610c5525df
  • 879b1f79cbd105ff52ac9a0b01cee4bef921df59e72fb7f5e41db48430ca9a85
     
• Domain names
  o   Gootkit’s C2 server:
  • sillikogermin[.]com
  • feferturietan[.]com
  • manjuorlidnqo[.]com
  • chechelderpos[.]com
  • kalamindridro[.]com
  • avant-garde[.]host
  • kinzhal[.]online
  • servicemanager[.]icu
  • partnerservice[.]xyz
  • Location of web injection script
  • mabanquesecure[.]com
     
• URLs
  o   Location of Gootkit DLL
  • sillikogermin[.]com/rbody32
     
• C2s/IPs
  o   Gootkit delivery URL
  • hxxp://ccleanerhome[.]com/fonts/igfpers[.]exe
  • hxxp://new[.]eltrans53[.]ru/uploads/utf8[.]exe
  • hxxp://startintern[.]terweij[.]nl/wp-admin/repox[.]exe
  • hxxp://kbhookah[.]com/loggers/repost[.]exe
  • hxxp://chermin[.]tweakdsl[.]nl/loges/Astart[.]exe
  • hxxp://chermin[.]tweakdsl[.]nl/loges/aHdBhBjUhBHm[.]exe
  • hxxp://chermin[.]tweakdsl[.]nl/loges/DlKitlMNdktild[.]exe
  • hxxp://chermin[.]tweakdsl[.]nl/loges/Atrip[.]exe
  • hxxp://chermin[.]tweakdsl[.]nl/loges/remove[.]exe
  • hxxp://chermin[.]tweakdsl[.]nl/loges/zip[.]exe
  • hxxp://chermin[.]tweakdsl[.]nl/loges/tlss[.]exe
  • hxxp://camdunki[.]com/gx/wipip[.]exe
  • hxxp://camdunki[.]com/gx/Aleto[.]exe
  • hxxp://hairpd[.]com/stat/sputik[.]exe
     
• Persistence
          o   .INI file
                ▪    e.g., C:\Users\USERNAME\Desktop\igfpers.inf
          o   Registry Key
                ▪    HKCU\Software\Microsott\IEAK\GroupPolicy\PendingGPOs
          o   Registry Value / Data
                ▪    Path1 / Path to Gootkit loader
                ▪    Section1 / DefaultInstall (It points to a section in .inf file)
  
  
• Interesting Strings
          o   --vwxyz (An option for new process creation to download Gootkit DLL from its C2 server)