Earlier in May, I reported that GootKit had launched redirection attacks for the first time. The malware prepared for its new modus operandi in the U.K., targeting major banks there with this advanced browsing manipulation attack. I also predicted that this was just a test and that we’re about to see more.
That prediction has come true. GootKit officially expanded the redirection attacks to six major banks in Italy, additionally targeting one of the local digital banking platform providers.
Is It the Pizza?
Why Italy? Although GootKit is mostly focused on the U.K., it is active in Italy, Spain and France as well. The bulk of GootKit attacks actually focus on these few countries, which is also what keeps it relatively limited in its global ranking among the top most active banking Trojan families.
Figure 1: Global ranking of top banking Trojan families, May 2017 (Source: IBM X-Force)
Since it began focusing the redirection scheme toward Italian targets, GootKit has also added quite a few instances of Google Ads application program interfaces (APIs) and Facebook Pixel to the configuration. The scheme here is redirection or injection, which might suggest the malware is abusing these services to inject into legitimate online ads.
When checking into the detection of a recent malware’s dropper, many antivirus engines detected it as the CrossRider adware. This might indicate that current infections are being delivered through malvertising campaigns.
GootKit has been rather consistent in leveraging malvertising via the EITest campaigns to trap users with the RIG exploit kit and infect them through a sleek drive-by download. With that, campaign delivery can change anytime, and past campaigns saw GootKit delivered via email attachments and the Godzilla loader.
After a rather quiet first quarter in 2017, GootKit’s operators kicked into gear in April and have been ramping up campaigns in the second quarter.
Italian Banks Beware
Since this is the first time that banking Trojan redirection attacks have been directed at banks in Italy, banks in the country should prepare and inform themselves about the scheme.
The malware redirection GootKit performs is not just a simplistic redirection from one website to another. It is a sophisticated M.O. used by a number of elite cybergangs like Dridex, TrickBot and GozNym to bypass bank security measures by hijacking the victim to a malicious website they host on their own servers before the victim ever reaches the bank’s site.
To make this happen, malicious websites are prepared in advance to provide a replica of the bank’s website. Thus, victims usually don’t realize they haven’t reached the bank’s true site. On top of the visual effect, the redirection attack is known for presenting the victim with the correct bank URL in the address bar and even the bank’s actual security certificate through a browser manipulation scheme. In fact, GootKit’s scheme is quite similar to the one employed by Dridex.
Overall, the execution of such redirection attacks necessitates the resources and capabilities of organized cybergangs that have developers on the team. This is due to the extra setup required to pull them off, such as the unique site replicas that must be maintained for each target. The redirection technique first surfaced in banking Trojan attacks in 2014, when the Dyre gang launched it against banks in the U.K.
The GootKit malware was first discovered in 2010 as a low-risk backdoor and information stealer, but it has since evolved into a banking Trojan and has been observed in attacks since the summer of 2014. Nowadays, GootKit is considered one of the most advanced banking Trojans active in the wild. It is used in online banking fraud attacks on consumer and business bank accounts, mostly in European countries.
GootKit is an ongoing malware project that implements advanced stealth and persistence alongside real-time, web-based activities such as dynamic webinjections, which it can display directly in the infected machine’s browser. According to X-Force research, GootKit affects the three most popular browsers: Internet Explorer, Mozilla Firefox and Google Chrome.
In terms of its internal makeup, unlike most malware of its grade, GootKit relies very little on leaked source codes from previous generations. Aside from its borrowed Zeus Trojan webinjection mechanism, X-Force research noted that it is a private project that was written in node.js, a rather uncommon choice for malware projects to adopt. This research also indicates GootKit is developed and operated by a small, Russian-speaking cybergang that does not share or sell the source code to others.
The most recent GootKit variant was detected and analyzed by IBM Trusteer researchers in February 2017. IBM Haifa Labs released a paper providing a technical view of GootKit’s stealth mechanisms in March 2017. GootKit is featured on X-Force Exchange as an ongoing collection featuring technical analysis papers.
Mitigating Redirection Attacks
IBM Security has studied redirection attacks schemes employed by the banking Trojans that use them against bank customers and can help banks and other targeted organizations learn more about this high-risk threat.
Banks should leverage adaptive malware detection tools to protect customer endpoints from fraud and other external threats. These tools should provide real-time insights into cybercriminals’ techniques and capabilities, allowing them to evolve along with the ever-shifting threat landscape.
To prevent Trojan attacks, users should disable ads and avoid sites that are typically used as infection hubs. Other online hygiene best practices include installing the latest operating system updates, updating frequently used applications and deleting those that are seldom used. For more online safety tips, please visit our malware mitigation page.
IBM X-Force examined the following MD5s for this research:
- Malware Dropper MD5: FC237D440BDD6A637F4A60AA23EAF974
- Malware Sample MD5: 0C9CEEC0B9F5762363C936D2E87E9165