GootKit: Bobbing and Weaving to Avoid Prying Eyes

Discovered in the wild in the summer of 2014, GootKit is believed to be a privately held cybercrime tool that is not sold to other criminals in underground forums and is operated by a closed gang. Considering its stealth, data theft and browser manipulation capabilities, GootKit is one of the most advanced banking Trojans active nowadays. It is used in online banking fraud attacks that target consumer and business bank accounts primarily located in Europe.

In online banking fraud attacks witnessed throughout 2016, GootKit’s masters leverage this malware’s capabilities to infiltrate the endpoints of retail and business banking customers, steal their personal authentication credentials and manipulate their online banking sessions with social engineering. They eventually take over those accounts and transfer cash to mule accounts they control.

Beyond its overall modus operandi, GootKit is a malware project that implements stealth and persistency alongside real-time, web-based activities like dynamic webinjections, which modify the banking website as rendered in the infected machine’s browser. Since it is operated by one gang, GootKit is believed to have its own in-house developers focused on evolving its stealth mechanisms, security evasion techniques and fraud capabilities.

This blog post was published as part of my work with IBM X-Force. Read the complete post here.