Earlier in May, I reported that GootKit had launched redirection attacks for the first time. The malware prepared for its new modus operandi in the U.K., targeting major banks there with this advanced browsing manipulation attack. I also predicted that this was just a test and that we’re about to see more.

That prediction has come true. GootKit officially expanded the redirection attacks to six major banks in Italy, additionally targeting one of the local digital banking platform providers.

Is It the Pizza?

Why Italy? Although GootKit is mostly focused on the U.K., it is active in Italy, Spain and France as well. The bulk of GootKit attacks actually focus on these few countries, which is also what keeps it relatively limited in its global ranking among the top most active banking Trojan families.

Figure 1: Global ranking of top banking Trojan families, May 2017 (Source: IBM X-Force)

Since it began focusing the redirection scheme toward Italian targets, GootKit has also added quite a few instances of Google Ads application program interfaces (APIs) and Facebook Pixel to the configuration. The scheme here is redirection or injection, which might suggest the malware is abusing these services to inject into legitimate online ads.

When checking into the detection of a recent malware’s dropper, many antivirus engines detected it as the CrossRider adware. This might indicate that current infections are being delivered through malvertising campaigns.

GootKit has been rather consistent in leveraging malvertising via the EITest campaigns to trap users with the RIG exploit kit and infect them through a sleek drive-by download. With that, campaign delivery can change anytime, and past campaigns saw GootKit delivered via email attachments and the Godzilla loader.

After a rather quiet first quarter in 2017, GootKit’s operators kicked into gear in April and have been ramping up campaigns in the second quarter.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

Italian Banks Beware

Since this is the first time that banking Trojan redirection attacks have been directed at banks in Italy, banks in the country should prepare and inform themselves about the scheme.

The malware redirection GootKit performs is not just a simplistic redirection from one website to another. It is a sophisticated M.O. used by a number of elite cybergangs like Dridex, TrickBot and GozNym to bypass bank security measures by hijacking the victim to a malicious website they host on their own servers before the victim ever reaches the bank’s site.

To make this happen, malicious websites are prepared in advance to provide a replica of the bank’s website. Thus, victims usually don’t realize they haven’t reached the bank’s true site. On top of the visual effect, the redirection attack is known for presenting the victim with the correct bank URL in the address bar and even the bank’s actual security certificate through a browser manipulation scheme. In fact, GootKit’s scheme is quite similar to the one employed by Dridex.

Overall, the execution of such redirection attacks necessitates the resources and capabilities of organized cybergangs that have developers on the team. This is due to the extra setup required to pull them off, such as the unique site replicas that must be maintained for each target. The redirection technique first surfaced in banking Trojan attacks in 2014, when the Dyre gang launched it against banks in the U.K.

About GootKit

The GootKit malware was first discovered in 2010 as a low-risk backdoor and information stealer, but it has since evolved into a banking Trojan and has been observed in attacks since the summer of 2014. Nowadays, GootKit is considered one of the most advanced banking Trojans active in the wild. It is used in online banking fraud attacks on consumer and business bank accounts, mostly in European countries.

GootKit is an ongoing malware project that implements advanced stealth and persistence alongside real-time, web-based activities such as dynamic webinjections, which it can display directly in the infected machine’s browser. According to X-Force research, GootKit affects the three most popular browsers: Internet Explorer, Mozilla Firefox and Google Chrome.

In terms of its internal makeup, unlike most malware of its grade, GootKit relies very little on leaked source codes from previous generations. Aside from its borrowed Zeus Trojan webinjection mechanism, X-Force research noted that it is a private project that was written in node.js, a rather uncommon choice for malware projects to adopt. This research also indicates GootKit is developed and operated by a small, Russian-speaking cybergang that does not share or sell the source code to others.

The most recent GootKit variant was detected and analyzed by IBM Trusteer researchers in February 2017. IBM Haifa Labs released a paper providing a technical view of GootKit’s stealth mechanisms in March 2017. GootKit is featured on X-Force Exchange as an ongoing collection featuring technical analysis papers.

Mitigating Redirection Attacks

IBM Security has studied redirection attacks schemes employed by the banking Trojans that use them against bank customers and can help banks and other targeted organizations learn more about this high-risk threat.

Banks should leverage adaptive malware detection tools to protect customer endpoints from fraud and other external threats. These tools should provide real-time insights into cybercriminals’ techniques and capabilities, allowing them to evolve along with the ever-shifting threat landscape.

To prevent Trojan attacks, users should disable ads and avoid sites that are typically used as infection hubs. Other online hygiene best practices include installing the latest operating system updates, updating frequently used applications and deleting those that are seldom used. For more online safety tips, please visit our malware mitigation page.

IBM X-Force examined the following MD5s for this research:

  • Malware Dropper MD5: FC237D440BDD6A637F4A60AA23EAF974
  • Malware Sample MD5: 0C9CEEC0B9F5762363C936D2E87E9165

Read the white paper: Shifting the balance of power with cognitive fraud prevention

More from Banking & Finance

How to Spot a Nefarious Cryptocurrency Platform

Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…