While going over some recent GootKit configurations, I came across an unfamiliar URL format that includes two URLs instead of one. It only takes a fraction of a second to understand: GootKit has launched redirection attacks — a more advanced way to manipulate online banking sessions than the typical webinjection attacks its operators had used up until now.

Much like some of its counterparts in other organized cybercrime gangs — namely, Dridex, GozNym and TrickBot — GootKit joins the ranks of malware that hijacks infected victims to a fake website to trick them into a simulated online banking session. Only this one is completely fraudulent.

Launched in the UK

GootKit’s first targets in this new redirection scheme were the business banking web applications of four major banks in the U.K.

Some coincidence it is that most of these gangs kick off redirection attacks in the U.K. When this modus operandi first surfaced with Dyre in 2014, it was launched in the U.K. The same geography was the launch zone when Dridex first used redirection attacks. The latest addition to that bunch was TrickBot, whose operators also selected the U.K. as the first destination for the redirection attacks they devised. The only other Trojan that uses redirection attacks is GozNym. In this case, it was an exception, since it launched redirection attacks in Poland.

Unsurprisingly, all of the above are believed to be operated by organized cybercrime gangs focused on targeting business banking, which is an umbrella term for anything from corporate banking to treasury, wealth management and investment banking accounts.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

What’s Different About Redirection Attacks?

When it comes to online banking fraud, most Trojans use webinjection attacks to control and modify what infected users can see on their screens when they access their online banking accounts. Injections enable criminals to socially engineer victims in real time to gain access to their bank accounts or influence them to unknowingly approve a fraudulent transaction. To start working at the right time, cybercriminals trigger the injections into action as soon as a victim browses to a specific URL.

Webinjections have been in widespread use by cybercriminals for well over a decade. They have their strong suits, but they also have weaknesses, like being written directly into the malware’s configuration file, which typically receives attention from security researchers who eventually unveil them. Fitting with the age-old cat-and-mouse metaphor, redirection attacks are indicative of cybercriminals migrating to a more elaborate manipulation scheme.

More than just adding target URLs to the configuration or injecting the bank’s page with foreign malicious content, redirection is considered an advanced method to manipulate what victims see on their browsers. This too is triggered by access to a specific URL the criminal predetermines, but instead of injecting the page, the actor hijacks the victim to an entirely different page hosted directly on rogue servers.

The page victims are seeing at that point was prepared in advance to look exactly like their bank’s login page. In the background, the criminals keep a live connection to the bank’s legitimate site to present trust-building elements on their fake page. They present users with the correct URL and even the genuine Transport Layer Security (TLS) certificate. Victims can’t tell they are on a fake site and may be lured into logging in. If the login is successful, the attack continues. In most cases, the next stage is made up of webinjections. Only this time, they are not written into the malware’s configuration file but pulled from the rogue server in real time, concealed from any prying eyes.

This crafty M.O. is used to bypass bank security measures by hijacking victims to a malicious website before they ever reach the bank’s site. By keeping victims away from the legitimate site, fraudsters can deceive them into divulging critical authentication elements on the replica site without the bank knowing or discovering the flow of events on the fake site. Redirection attacks are most often identified with the resources and capabilities of organized cybergangs with in-house developers because of the extra setup required to maintain unique site replicas for each target.

This is the first time I’ve seen GootKit using a redirection scheme. The malware’s redirection M.O. is similar to Dridex. IBM X-Force researchers are watching out for an expansion of GootKit redirection schemes to other brands and geographies; the malware is known to operate in the U.K., France, Spain and Italy.

About GootKit

Discovered in the summer of 2014, GootKit is generally considered one of the more advanced banking Trojans active in the wild. This crimeware is an ongoing project that implements advanced stealth and persistence features alongside real-time, web-based activities such as dynamic webinjections and, now, redirection attacks.

X-Force researchers detected and analyzed an upgraded GootKit variant in February 2017 and revealed details about the malware’s setup of a web traffic proxy on victims’ endpoints. IBM Haifa Labs released a paper providing a technical view of GootKit’s stealth mechanisms in March 2017.

This X-Force research led us to suspect that GootKit is developed and operated by a small, Russian-speaking cybergang who keeps the code private. The group typically launches limited-sized campaigns in a small number of European countries. In recent infection campaigns delivering GootKit as a payload, the malware was associated with the RIG exploit kit and malvertising sprees known as the EITest campaign.

GootKit’s overall prevalence in the wild is rather limited compared to other malware of its class. This is due to its operators keeping campaigns focused on a small number of countries.

Sample MD5 Hash

This post was written after analysis of a GootKit sample with MD5 hash:

ddf408ce7c4b5df1a57a3ca45197f18e.

Learn More About GootKit on the IBM X-Force Exchange

More from Banking & Finance

How the ZeuS Trojan Info Stealer Changed Cybersecurity

4 min read - Information stealer malware is a type of malicious software designed to collect sensitive information from a victim’s computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, it’s highly adept at exfiltrating login credentials, financial information and personal data. Info stealers typically operate by monitoring keyboard input, capturing screenshots and intercepting network traffic. They may also search a hard drive for specific types of data. The…

4 min read

2022 Industry Threat Recap: Finance and Insurance

5 min read - The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

5 min read

How to Spot a Nefarious Cryptocurrency Platform

4 min read - Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

4 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read