During the last campaign of Gootkit malware, detected by F5 in February 2016, new targets were spotted while analyzing its configuration.
Gootkit, identified in some cases as Waldek, is a banking Trojan that was first seen in the wild around April 2014.
In this specific configuration, the malware recorded user actions when they are interacting with the login page, those recordings are assumed to be sent over email to the fraudster.
While it was previously reported by “Proofpoint”, that the Gootkit malware started expanding its interest to other geographical areas and assumed that it will keep on this trend, we can currently witness this actual expansion forecast. By analyzing the malware configuration, we’ve noticed it targeting financial institutions from previous reports in Europe such as UK, France, Spain, Italy, Germany, Belgium, Luxemburg, Hungary, Bulgaria and Swiss banks.
From latest investigation we’ve noticed that Gootkit has started to examine new areas around the world, from the Middle East, attacking financial institutions in Israel and Egypt, now also targeting banks in US and Canada, even found targeting Sri Lanka and New Zealand.
Figure 1 Gootkit list of targets
As with other financial Trojans, Gootkit performs preparations by using video recording functionality before it is launching actual attacks on financial institutions websites.
The video recording documents user interaction with the bank’s website, while it can include several options, such as recording time and the frame rate of the video. After a record has been created the file will be uploaded to the C&C.
Figure 2 Gootkit configuration targeting generic "bank" name
Gootkit has an interesting traffic pattern, while communicating over HTTPS using port 80. We just can assume that it is intended to trick some weak firewall rules.
Gootkit communicates with couple of domains defined hardcoded in the infection file.
Figure 3 Gootkit Communication points
In order to avoid detection, the malware rewrites itself under a different file name every hour while deleting the previous version of the file.
To survive a reboot, it adds an “Autorun” registry key in HKEY_CURRENT_USER registry hive, under the \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, which will run the malicious file every time a user logs on to his Windows account.