Earlier in May, I reported that GootKit had launched redirection attacks for the first time. The malware prepared for its new modus operandi in the U.K., targeting major banks there with this advanced browsing manipulation attack. I also predicted that this was just a test and that we’re about to see more.

That prediction has come true. GootKit officially expanded the redirection attacks to six major banks in Italy, additionally targeting one of the local digital banking platform providers.

Is It the Pizza?

Why Italy? Although GootKit is mostly focused on the U.K., it is active in Italy, Spain and France as well. The bulk of GootKit attacks actually focus on these few countries, which is also what keeps it relatively limited in its global ranking among the top most active banking Trojan families.

Figure 1: Global ranking of top banking Trojan families, May 2017 (Source: IBM X-Force)

Since it began focusing the redirection scheme toward Italian targets, GootKit has also added quite a few instances of Google Ads application program interfaces (APIs) and Facebook Pixel to the configuration. The scheme here is redirection or injection, which might suggest the malware is abusing these services to inject into legitimate online ads.

When checking into the detection of a recent malware’s dropper, many antivirus engines detected it as the CrossRider adware. This might indicate that current infections are being delivered through malvertising campaigns.

GootKit has been rather consistent in leveraging malvertising via the EITest campaigns to trap users with the RIG exploit kit and infect them through a sleek drive-by download. With that, campaign delivery can change anytime, and past campaigns saw GootKit delivered via email attachments and the Godzilla loader.

After a rather quiet first quarter in 2017, GootKit’s operators kicked into gear in April and have been ramping up campaigns in the second quarter.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

Italian Banks Beware

Since this is the first time that banking Trojan redirection attacks have been directed at banks in Italy, banks in the country should prepare and inform themselves about the scheme.

The malware redirection GootKit performs is not just a simplistic redirection from one website to another. It is a sophisticated M.O. used by a number of elite cybergangs like Dridex, TrickBot and GozNym to bypass bank security measures by hijacking the victim to a malicious website they host on their own servers before the victim ever reaches the bank’s site.

To make this happen, malicious websites are prepared in advance to provide a replica of the bank’s website. Thus, victims usually don’t realize they haven’t reached the bank’s true site. On top of the visual effect, the redirection attack is known for presenting the victim with the correct bank URL in the address bar and even the bank’s actual security certificate through a browser manipulation scheme. In fact, GootKit’s scheme is quite similar to the one employed by Dridex.

Overall, the execution of such redirection attacks necessitates the resources and capabilities of organized cybergangs that have developers on the team. This is due to the extra setup required to pull them off, such as the unique site replicas that must be maintained for each target. The redirection technique first surfaced in banking Trojan attacks in 2014, when the Dyre gang launched it against banks in the U.K.

About GootKit

The GootKit malware was first discovered in 2010 as a low-risk backdoor and information stealer, but it has since evolved into a banking Trojan and has been observed in attacks since the summer of 2014. Nowadays, GootKit is considered one of the most advanced banking Trojans active in the wild. It is used in online banking fraud attacks on consumer and business bank accounts, mostly in European countries.

GootKit is an ongoing malware project that implements advanced stealth and persistence alongside real-time, web-based activities such as dynamic webinjections, which it can display directly in the infected machine’s browser. According to X-Force research, GootKit affects the three most popular browsers: Internet Explorer, Mozilla Firefox and Google Chrome.

In terms of its internal makeup, unlike most malware of its grade, GootKit relies very little on leaked source codes from previous generations. Aside from its borrowed Zeus Trojan webinjection mechanism, X-Force research noted that it is a private project that was written in node.js, a rather uncommon choice for malware projects to adopt. This research also indicates GootKit is developed and operated by a small, Russian-speaking cybergang that does not share or sell the source code to others.

The most recent GootKit variant was detected and analyzed by IBM Trusteer researchers in February 2017. IBM Haifa Labs released a paper providing a technical view of GootKit’s stealth mechanisms in March 2017. GootKit is featured on X-Force Exchange as an ongoing collection featuring technical analysis papers.

Mitigating Redirection Attacks

IBM Security has studied redirection attacks schemes employed by the banking Trojans that use them against bank customers and can help banks and other targeted organizations learn more about this high-risk threat.

Banks should leverage adaptive malware detection tools to protect customer endpoints from fraud and other external threats. These tools should provide real-time insights into cybercriminals’ techniques and capabilities, allowing them to evolve along with the ever-shifting threat landscape.

To prevent Trojan attacks, users should disable ads and avoid sites that are typically used as infection hubs. Other online hygiene best practices include installing the latest operating system updates, updating frequently used applications and deleting those that are seldom used. For more online safety tips, please visit our malware mitigation page.

IBM X-Force examined the following MD5s for this research:

  • Malware Dropper MD5: FC237D440BDD6A637F4A60AA23EAF974
  • Malware Sample MD5: 0C9CEEC0B9F5762363C936D2E87E9165

Read the white paper: Shifting the balance of power with cognitive fraud prevention

More from Banking & Finance

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…

SEC Proposes New Cybersecurity Rules for Financial Services

Proposed new policies from the Securities and Exchange Commission (SEC) could spell changes for how financial services firms handle cybersecurity. On Feb. 9, the SEC voted to propose cybersecurity risk management policies for registered investment advisers, registered investment companies and business development companies (funds). Next, the proposal will go through a public comment period until May 9.  The Importance of Cybersecurity in Finance The 2021 X-Force Threat Index found that financial services were the most targeted industry. Manufacturing beat out…

Top Security Concerns When Accepting Crypto Payment

From Microsoft to AT&T to Home Depot, more companies are accepting cryptocurrency as a way to pay for products and services. This makes perfect sense as crypto coins are a viable revenue source. Perhaps the time is ripe for businesses to learn how to receive, process and convert crypto payments into fiat currency. Still, many questions remain. How can you safely enable customers to pay with Bitcoin or other digital currency? What are the security risks that come with cryptocurrency? Let’s…