GootKit Developers Dress It Up With Web Traffic Proxy

This post was co-authored with IBM X-Force researcher Gadi Ostrovsky
---

Discovered in summer of 2014, GootKit is widely considered one of the most sophisticated banking Trojans active in the wild. The malware is being used in online banking fraud attacks on consumer and business accounts, mostly in the U.K. and other parts of Europe.

In this blog post, I will describe my analysis of a recent GootKit sample (MD5: 60e079ec28d47ef85e93039c21afd19c) discovered by IBM X-Force research in January 2017. The sample caught our attention when we realized that GootKit’s developers had modified its architecture and changed the way it operates on the infected endpoints.

Our research into GootKit’s inner workings unveiled its new network interception method, which now proxies internet traffic through the malware instead of placing hooks on the browser. GootKit also bypasses certificate validation by hooking other relevant APIs to continue its malicious operation unhindered.

GootKit Renovating the Architecture

The first and most significant change I noticed in recent GootKit samples is an architectural expansion. In the past, GootKit operated on two principal modules:

The Loader module, which was responsible for persistence, malware updates and the injection of malicious code into the web browser and Windows OS processes; and

The Main module, which was responsible for general malware functionality. This module is based on a node.js engine, bound with the malware’s code.

The Main module can be injected into a svchost process, at which point it acts as a master. It can also be injected into a browser process and act as a slave, intercepting all network communications via the browser by hooking the NtDeviceIoControlFile API. The NtDeviceIoControlFile service is a device-dependent interface that extends the control that applications have over various devices within the system. This API provides a consistent view of the input and output data to the system while still providing the application and the driver a device-dependent method of specifying a communications interface.

Read the rest of the technical info and our conclusion here.