March 20, 2017 By Limor Kessem 2 min read

Discovered in the wild in the summer of 2014, the GootKit banking Trojan is considered to be one of the more advanced banking Trojans active nowadays. It is used in online banking fraud attacks on consumer and business bank accounts mostly in European countries.

GootKit is an ongoing malware project that implements advanced stealth and persistency alongside real-time web-based activities such as dynamic webinjections, which it can display directly in the infected machine’s browser. GootKit affects the three most popular browsers: Internet Explorer, Mozilla Firefox and Google Chrome.

According to IBM X-Force research, GootKit is developed and operated by a small Russian-speaking cyber gang who does not share or sell the source code to others. Additionally, the malware keeps improving the anti-research techniques it uses to protect its internal secrets from prying research’s eyes.

In terms of its internal makeup, unlike most malware of its grade, GootKit relies very little on leaked source codes from previous generations. Aside from its borrowed Zeus Trojan webinjection mechanism, it is a private project that was written in node.js — a rather uncommon programming language choice for any malware to adopt.

Recent studies of this malcode conducted by IBM X-Force Research have shown that this family of malware is usually equipped with advanced mechanisms to detect virtual machines and well-known sandboxes. These are intended to stop the malware from running in those test environments.

GootKit’s security evasion begins in its stealth loader, and this is the component researchers Maksim Shudrak and Cindy Eisner of IBM Research — Haifa have analyzed in depth. Their research results are brought to you in a dedicated paper you can download directly on IBM’s X-Force Exchange. Please access the collection and check the sidebar on the right of your screen for the attached PDF.

Learn More About GootKit With the IBM X-Force Exchange

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today