While going over some recent GootKit configurations, I came across an unfamiliar URL format that includes two URLs instead of one. It only takes a fraction of a second to understand: GootKit has launched redirection attacks — a more advanced way to manipulate online banking sessions than the typical webinjection attacks its operators had used up until now.
Much like some of its counterparts in other organized cybercrime gangs — namely, Dridex, GozNym and TrickBot — GootKit joins the ranks of malware that hijacks infected victims to a fake website to trick them into a simulated online banking session. Only this one is completely fraudulent.
Launched in the UK
GootKit’s first targets in this new redirection scheme were the business banking web applications of four major banks in the U.K.
Some coincidence it is that most of these gangs kick off redirection attacks in the U.K. When this modus operandi first surfaced with Dyre in 2014, it was launched in the U.K. The same geography was the launch zone when Dridex first used redirection attacks. The latest addition to that bunch was TrickBot, whose operators also selected the U.K. as the first destination for the redirection attacks they devised. The only other Trojan that uses redirection attacks is GozNym. In this case, it was an exception, since it launched redirection attacks in Poland.
Unsurprisingly, all of the above are believed to be operated by organized cybercrime gangs focused on targeting business banking, which is an umbrella term for anything from corporate banking to treasury, wealth management and investment banking accounts.
What’s Different About Redirection Attacks?
When it comes to online banking fraud, most Trojans use webinjection attacks to control and modify what infected users can see on their screens when they access their online banking accounts. Injections enable criminals to socially engineer victims in real time to gain access to their bank accounts or influence them to unknowingly approve a fraudulent transaction. To start working at the right time, cybercriminals trigger the injections into action as soon as a victim browses to a specific URL.
Webinjections have been in widespread use by cybercriminals for well over a decade. They have their strong suits, but they also have weaknesses, like being written directly into the malware’s configuration file, which typically receives attention from security researchers who eventually unveil them. Fitting with the age-old cat-and-mouse metaphor, redirection attacks are indicative of cybercriminals migrating to a more elaborate manipulation scheme.
More than just adding target URLs to the configuration or injecting the bank’s page with foreign malicious content, redirection is considered an advanced method to manipulate what victims see on their browsers. This too is triggered by access to a specific URL the criminal predetermines, but instead of injecting the page, the actor hijacks the victim to an entirely different page hosted directly on rogue servers.
The page victims are seeing at that point was prepared in advance to look exactly like their bank’s login page. In the background, the criminals keep a live connection to the bank’s legitimate site to present trust-building elements on their fake page. They present users with the correct URL and even the genuine Transport Layer Security (TLS) certificate. Victims can’t tell they are on a fake site and may be lured into logging in. If the login is successful, the attack continues. In most cases, the next stage is made up of webinjections. Only this time, they are not written into the malware’s configuration file but pulled from the rogue server in real time, concealed from any prying eyes.
This crafty M.O. is used to bypass bank security measures by hijacking victims to a malicious website before they ever reach the bank’s site. By keeping victims away from the legitimate site, fraudsters can deceive them into divulging critical authentication elements on the replica site without the bank knowing or discovering the flow of events on the fake site. Redirection attacks are most often identified with the resources and capabilities of organized cybergangs with in-house developers because of the extra setup required to maintain unique site replicas for each target.
This is the first time I’ve seen GootKit using a redirection scheme. The malware’s redirection M.O. is similar to Dridex. IBM X-Force researchers are watching out for an expansion of GootKit redirection schemes to other brands and geographies; the malware is known to operate in the U.K., France, Spain and Italy.
Discovered in the summer of 2014, GootKit is generally considered one of the more advanced banking Trojans active in the wild. This crimeware is an ongoing project that implements advanced stealth and persistence features alongside real-time, web-based activities such as dynamic webinjections and, now, redirection attacks.
X-Force researchers detected and analyzed an upgraded GootKit variant in February 2017 and revealed details about the malware’s setup of a web traffic proxy on victims’ endpoints. IBM Haifa Labs released a paper providing a technical view of GootKit’s stealth mechanisms in March 2017.
This X-Force research led us to suspect that GootKit is developed and operated by a small, Russian-speaking cybergang who keeps the code private. The group typically launches limited-sized campaigns in a small number of European countries. In recent infection campaigns delivering GootKit as a payload, the malware was associated with the RIG exploit kit and malvertising sprees known as the EITest campaign.
GootKit’s overall prevalence in the wild is rather limited compared to other malware of its class. This is due to its operators keeping campaigns focused on a small number of countries.
Sample MD5 Hash
This post was written after analysis of a GootKit sample with MD5 hash: