Connect with us

Hi, what are you looking for?



GootKit Trojan Targets Banks With Redirection Attacks

The GootKit banking malware has joined the growing band of advanced financial trojans that have migrated from web-injections to redirection attacks.

The GootKit banking malware has joined the growing band of advanced financial trojans that have migrated from web-injections to redirection attacks. Others include Dridex, GozNym and TrickBot.

The majority of bank malware still uses web injection to engineer victims into disclosing their bank credentials and stealing their funds. This involves injecting false information to appear on the victim’s screen during a visit to the bank’s website. But it has weaknesses — namely in visiting the bank, the bank’s own security defenses are brought into play, while injection from the malware’s configuration file can be detected by security controls. 

Redirection is considered to be more sophisticated and more dangerous. This involves monitoring the victim to learn which bank is used, and then redirecting the browser to a ready-made but false website. GootKit now “hijacks infected victims to a fake website to trick them into a simulated online banking session. Only this one is completely fraudulent,” writes IBM cybersecurity threat intelligence expert Limor Kessem who discovered the new version.

Effective redirection is more difficult to achieve because it requires registering a bank look-alike domain, and then recreating the relevant pages so precisely that the victim accepts it as genuine. When it works, however, neither the victim nor the bank is aware of the attacks; and the criminals will simply receive the victim’s login details. “Instead of injecting the page, the actor hijacks the victim to an entirely different page hosted directly on rogue servers,” writes Kessem.

If the deception is successful and the victim logs in, web-injection will still occur — only this time it is pulled invisibly from the server in real time rather than visibly injected directly from the malware.

GootKit was first detected almost three years ago. A summer 2016 analysis by IBM described the earlier version as “a malware project that implements stealth and persistency alongside real-time, web-based activities like dynamic webinjections, which modify the banking website as rendered in the infected machine’s browser. Since it is operated by one gang, GootKit is believed to have its own in-house developers focused on evolving its stealth mechanisms, security evasion techniques and fraud capabilities.”

The ongoing nature of the ‘project’ is now confirmed by its evolution to redirection.

Advertisement. Scroll to continue reading.

The new variant of GootKit was first discovered in the UK targeting four specific banks; although IBM expects to see it expand into other regions with other banks. It is not unusual for redirection bank malware to be ‘launched’ in the UK. The same happened with Dyre in 2014, and later with Dridex and TrickBot. “The only other Trojan that uses redirection attacks is GozNym,” notes Kessem. “In this case, it was an exception, since it launched redirection attacks in Poland.”

There are some suggestions that the UK is chosen precisely because of the maturity of the banking system and the quality of UK bank security defenses: if it works in the UK, it should work anywhere. However, America and Europe are frequently targeted by financial malware simply because bank procedures are well-understood by the criminal gangs, and the victims are relatively wealthy.

GootKit is considered to be one of the more sophisticated of the banking trojans, but is not generally widespread. “GootKit’s overall prevalence in the wild is rather limited compared to other malware of its class,” says Kessem. “This is due to its operators keeping campaigns focused on a small number of countries.”

It is usually delivered by phishing designed to send the victim to a malicious site. Recent campaigns have been seen using the RIG exploit kit and malvertising sprees known as the EITest campaign.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...