While going over some recent GootKit configurations, I came across an unfamiliar URL format that includes two URLs instead of one. It only takes a fraction of a second to understand: GootKit has launched redirection attacks — a more advanced way to manipulate online banking sessions than the typical webinjection attacks its operators had used up until now.

Much like some of its counterparts in other organized cybercrime gangs — namely, Dridex, GozNym and TrickBot — GootKit joins the ranks of malware that hijacks infected victims to a fake website to trick them into a simulated online banking session. Only this one is completely fraudulent.

Launched in the UK

GootKit’s first targets in this new redirection scheme were the business banking web applications of four major banks in the U.K.

Some coincidence it is that most of these gangs kick off redirection attacks in the U.K. When this modus operandi first surfaced with Dyre in 2014, it was launched in the U.K. The same geography was the launch zone when Dridex first used redirection attacks. The latest addition to that bunch was TrickBot, whose operators also selected the U.K. as the first destination for the redirection attacks they devised. The only other Trojan that uses redirection attacks is GozNym. In this case, it was an exception, since it launched redirection attacks in Poland.

Unsurprisingly, all of the above are believed to be operated by organized cybercrime gangs focused on targeting business banking, which is an umbrella term for anything from corporate banking to treasury, wealth management and investment banking accounts.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

What’s Different About Redirection Attacks?

When it comes to online banking fraud, most Trojans use webinjection attacks to control and modify what infected users can see on their screens when they access their online banking accounts. Injections enable criminals to socially engineer victims in real time to gain access to their bank accounts or influence them to unknowingly approve a fraudulent transaction. To start working at the right time, cybercriminals trigger the injections into action as soon as a victim browses to a specific URL.

Webinjections have been in widespread use by cybercriminals for well over a decade. They have their strong suits, but they also have weaknesses, like being written directly into the malware’s configuration file, which typically receives attention from security researchers who eventually unveil them. Fitting with the age-old cat-and-mouse metaphor, redirection attacks are indicative of cybercriminals migrating to a more elaborate manipulation scheme.

More than just adding target URLs to the configuration or injecting the bank’s page with foreign malicious content, redirection is considered an advanced method to manipulate what victims see on their browsers. This too is triggered by access to a specific URL the criminal predetermines, but instead of injecting the page, the actor hijacks the victim to an entirely different page hosted directly on rogue servers.

The page victims are seeing at that point was prepared in advance to look exactly like their bank’s login page. In the background, the criminals keep a live connection to the bank’s legitimate site to present trust-building elements on their fake page. They present users with the correct URL and even the genuine Transport Layer Security (TLS) certificate. Victims can’t tell they are on a fake site and may be lured into logging in. If the login is successful, the attack continues. In most cases, the next stage is made up of webinjections. Only this time, they are not written into the malware’s configuration file but pulled from the rogue server in real time, concealed from any prying eyes.

This crafty M.O. is used to bypass bank security measures by hijacking victims to a malicious website before they ever reach the bank’s site. By keeping victims away from the legitimate site, fraudsters can deceive them into divulging critical authentication elements on the replica site without the bank knowing or discovering the flow of events on the fake site. Redirection attacks are most often identified with the resources and capabilities of organized cybergangs with in-house developers because of the extra setup required to maintain unique site replicas for each target.

This is the first time I’ve seen GootKit using a redirection scheme. The malware’s redirection M.O. is similar to Dridex. IBM X-Force researchers are watching out for an expansion of GootKit redirection schemes to other brands and geographies; the malware is known to operate in the U.K., France, Spain and Italy.

About GootKit

Discovered in the summer of 2014, GootKit is generally considered one of the more advanced banking Trojans active in the wild. This crimeware is an ongoing project that implements advanced stealth and persistence features alongside real-time, web-based activities such as dynamic webinjections and, now, redirection attacks.

X-Force researchers detected and analyzed an upgraded GootKit variant in February 2017 and revealed details about the malware’s setup of a web traffic proxy on victims’ endpoints. IBM Haifa Labs released a paper providing a technical view of GootKit’s stealth mechanisms in March 2017.

This X-Force research led us to suspect that GootKit is developed and operated by a small, Russian-speaking cybergang who keeps the code private. The group typically launches limited-sized campaigns in a small number of European countries. In recent infection campaigns delivering GootKit as a payload, the malware was associated with the RIG exploit kit and malvertising sprees known as the EITest campaign.

GootKit’s overall prevalence in the wild is rather limited compared to other malware of its class. This is due to its operators keeping campaigns focused on a small number of countries.

Sample MD5 Hash

This post was written after analysis of a GootKit sample with MD5 hash:


Learn More About GootKit on the IBM X-Force Exchange

More from Banking & Finance

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…