The GootKit banking malware has joined the growing band of advanced financial trojans that have migrated from web-injections to redirection attacks. Others include Dridex, GozNym and TrickBot.
The majority of bank malware still uses web injection to engineer victims into disclosing their bank credentials and stealing their funds. This involves injecting false information to appear on the victim’s screen during a visit to the bank’s website. But it has weaknesses — namely in visiting the bank, the bank’s own security defenses are brought into play, while injection from the malware’s configuration file can be detected by security controls.
Redirection is considered to be more sophisticated and more dangerous. This involves monitoring the victim to learn which bank is used, and then redirecting the browser to a ready-made but false website. GootKit now “hijacks infected victims to a fake website to trick them into a simulated online banking session. Only this one is completely fraudulent,” writes IBM cybersecurity threat intelligence expert Limor Kessem who discovered the new version.
Effective redirection is more difficult to achieve because it requires registering a bank look-alike domain, and then recreating the relevant pages so precisely that the victim accepts it as genuine. When it works, however, neither the victim nor the bank is aware of the attacks; and the criminals will simply receive the victim’s login details. “Instead of injecting the page, the actor hijacks the victim to an entirely different page hosted directly on rogue servers,” writes Kessem.
If the deception is successful and the victim logs in, web-injection will still occur — only this time it is pulled invisibly from the server in real time rather than visibly injected directly from the malware.
GootKit was first detected almost three years ago. A summer 2016 analysis by IBM described the earlier version as “a malware project that implements stealth and persistency alongside real-time, web-based activities like dynamic webinjections, which modify the banking website as rendered in the infected machine’s browser. Since it is operated by one gang, GootKit is believed to have its own in-house developers focused on evolving its stealth mechanisms, security evasion techniques and fraud capabilities.”
The ongoing nature of the ‘project’ is now confirmed by its evolution to redirection.
The new variant of GootKit was first discovered in the UK targeting four specific banks; although IBM expects to see it expand into other regions with other banks. It is not unusual for redirection bank malware to be ‘launched’ in the UK. The same happened with Dyre in 2014, and later with Dridex and TrickBot. “The only other Trojan that uses redirection attacks is GozNym,” notes Kessem. “In this case, it was an exception, since it launched redirection attacks in Poland.”
There are some suggestions that the UK is chosen precisely because of the maturity of the banking system and the quality of UK bank security defenses: if it works in the UK, it should work anywhere. However, America and Europe are frequently targeted by financial malware simply because bank procedures are well-understood by the criminal gangs, and the victims are relatively wealthy.
GootKit is considered to be one of the more sophisticated of the banking trojans, but is not generally widespread. “GootKit’s overall prevalence in the wild is rather limited compared to other malware of its class,” says Kessem. “This is due to its operators keeping campaigns focused on a small number of countries.”
It is usually delivered by phishing designed to send the victim to a malicious site. Recent campaigns have been seen using the RIG exploit kit and malvertising sprees known as the EITest campaign.