GootKit Developers Dress It Up With Web Traffic Proxy
This post was co-authored with IBM X-Force researcher Gadi Ostrovsky
---
---
Discovered
in summer of 2014, GootKit is widely considered one of the most sophisticated
banking Trojans active in the wild. The malware is being used in online banking
fraud attacks on consumer and business accounts, mostly in the U.K. and other
parts of Europe.
In this
blog post, I will describe my analysis of a recent GootKit sample (MD5:
60e079ec28d47ef85e93039c21afd19c) discovered by IBM X-Force research in January
2017. The sample caught our attention when we realized that GootKit’s
developers had modified its architecture and changed the way it operates on the
infected endpoints.
Our research into GootKit’s inner workings unveiled its new network interception
method, which now proxies internet traffic through the malware instead of
placing hooks on the browser. GootKit also bypasses certificate validation by
hooking other relevant APIs to continue its malicious operation unhindered.
GootKit Renovating the Architecture
The
first and most significant change I noticed in recent GootKit samples is an
architectural expansion. In the past, GootKit operated on two principal
modules:
The
Loader module, which was responsible for persistence, malware updates and the
injection of malicious code into the web browser and Windows OS processes; and
The Main
module, which was responsible for general malware functionality. This module is
based on a node.js engine, bound with the malware’s code.
The Main
module can be injected into a svchost process, at which point it acts as a
master. It can also be injected into a browser process and act as a slave,
intercepting all network communications via the browser by hooking the
NtDeviceIoControlFile API. The NtDeviceIoControlFile service is a
device-dependent interface that extends the control that applications have over
various devices within the system. This API provides a consistent view of the
input and output data to the system while still providing the application and
the driver a device-dependent method of specifying a communications interface.
Read the rest of the technical info and our conclusion here.
Comments
Post a Comment