Earlier in May, I reported that GootKit had launched redirection attacks for the first time. The malware prepared for its new modus operandi in the U.K., targeting major banks there with this advanced browsing manipulation attack. I also predicted that this was just a test and that we’re about to see more.

That prediction has come true. GootKit officially expanded the redirection attacks to six major banks in Italy, additionally targeting one of the local digital banking platform providers.

Is It the Pizza?

Why Italy? Although GootKit is mostly focused on the U.K., it is active in Italy, Spain and France as well. The bulk of GootKit attacks actually focus on these few countries, which is also what keeps it relatively limited in its global ranking among the top most active banking Trojan families.

Figure 1: Global ranking of top banking Trojan families, May 2017 (Source: IBM X-Force)

Since it began focusing the redirection scheme toward Italian targets, GootKit has also added quite a few instances of Google Ads application program interfaces (APIs) and Facebook Pixel to the configuration. The scheme here is redirection or injection, which might suggest the malware is abusing these services to inject into legitimate online ads.

When checking into the detection of a recent malware’s dropper, many antivirus engines detected it as the CrossRider adware. This might indicate that current infections are being delivered through malvertising campaigns.

GootKit has been rather consistent in leveraging malvertising via the EITest campaigns to trap users with the RIG exploit kit and infect them through a sleek drive-by download. With that, campaign delivery can change anytime, and past campaigns saw GootKit delivered via email attachments and the Godzilla loader.

After a rather quiet first quarter in 2017, GootKit’s operators kicked into gear in April and have been ramping up campaigns in the second quarter.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

Italian Banks Beware

Since this is the first time that banking Trojan redirection attacks have been directed at banks in Italy, banks in the country should prepare and inform themselves about the scheme.

The malware redirection GootKit performs is not just a simplistic redirection from one website to another. It is a sophisticated M.O. used by a number of elite cybergangs like Dridex, TrickBot and GozNym to bypass bank security measures by hijacking the victim to a malicious website they host on their own servers before the victim ever reaches the bank’s site.

To make this happen, malicious websites are prepared in advance to provide a replica of the bank’s website. Thus, victims usually don’t realize they haven’t reached the bank’s true site. On top of the visual effect, the redirection attack is known for presenting the victim with the correct bank URL in the address bar and even the bank’s actual security certificate through a browser manipulation scheme. In fact, GootKit’s scheme is quite similar to the one employed by Dridex.

Overall, the execution of such redirection attacks necessitates the resources and capabilities of organized cybergangs that have developers on the team. This is due to the extra setup required to pull them off, such as the unique site replicas that must be maintained for each target. The redirection technique first surfaced in banking Trojan attacks in 2014, when the Dyre gang launched it against banks in the U.K.

About GootKit

The GootKit malware was first discovered in 2010 as a low-risk backdoor and information stealer, but it has since evolved into a banking Trojan and has been observed in attacks since the summer of 2014. Nowadays, GootKit is considered one of the most advanced banking Trojans active in the wild. It is used in online banking fraud attacks on consumer and business bank accounts, mostly in European countries.

GootKit is an ongoing malware project that implements advanced stealth and persistence alongside real-time, web-based activities such as dynamic webinjections, which it can display directly in the infected machine’s browser. According to X-Force research, GootKit affects the three most popular browsers: Internet Explorer, Mozilla Firefox and Google Chrome.

In terms of its internal makeup, unlike most malware of its grade, GootKit relies very little on leaked source codes from previous generations. Aside from its borrowed Zeus Trojan webinjection mechanism, X-Force research noted that it is a private project that was written in node.js, a rather uncommon choice for malware projects to adopt. This research also indicates GootKit is developed and operated by a small, Russian-speaking cybergang that does not share or sell the source code to others.

The most recent GootKit variant was detected and analyzed by IBM Trusteer researchers in February 2017. IBM Haifa Labs released a paper providing a technical view of GootKit’s stealth mechanisms in March 2017. GootKit is featured on X-Force Exchange as an ongoing collection featuring technical analysis papers.

Mitigating Redirection Attacks

IBM Security has studied redirection attacks schemes employed by the banking Trojans that use them against bank customers and can help banks and other targeted organizations learn more about this high-risk threat.

Banks should leverage adaptive malware detection tools to protect customer endpoints from fraud and other external threats. These tools should provide real-time insights into cybercriminals’ techniques and capabilities, allowing them to evolve along with the ever-shifting threat landscape.

To prevent Trojan attacks, users should disable ads and avoid sites that are typically used as infection hubs. Other online hygiene best practices include installing the latest operating system updates, updating frequently used applications and deleting those that are seldom used. For more online safety tips, please visit our malware mitigation page.

IBM X-Force examined the following MD5s for this research:

  • Malware Dropper MD5: FC237D440BDD6A637F4A60AA23EAF974
  • Malware Sample MD5: 0C9CEEC0B9F5762363C936D2E87E9165

Read the white paper: Shifting the balance of power with cognitive fraud prevention

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today