Trojan changes MO to keep security experts on their toes

Jul 11, 2016 09:15 GMT  ·  By

GootKit, one of the top ten most active banking trojans in the world, received a massive update in June, an upgrade that added core modifications to the way the malware operates, according to a report by IBM's X-Force Research team.

GootKit is a less-known banking trojan that appeared in 2014, and unlike most of its competition, it has never had its source code leaked online, nor has it been rented via a Malware-as-a-Service operation.

GootKit, the banking trojan that everyone should know and fear

The trojan is the work of a secretive criminal group that has kept a tight grip on when and whom the malware targets, focusing mainly on targeting the clients of European banks only.

While most malware generally targets a bank's regular (retail) clients, GootKit has not shied away from going after high-end business customers with the hopes of compromising bigger accounts to steal larger sums of money.

Its mode of operation includes regular Web injects that alter the way a banking portal looks in the user's browser in order to collect banking credentials from its victims.

GootKit now uses scheduled tasks

What very few know about GootKit is that the criminal group behind this threat is constantly updating the trojan's source code so it would not get picked up by antivirus engines. Only professional malware receives this kind of attention, and GootKit is certainly up there.

In June, IBM says it detected a large number of important updates to GootKit's source and mode of operation that are sure to make antivirus detection much harder.

The first and easiest to spot was a change to the installation method. Instead of relying on modifying the Windows Registry to gain boot persistence, the trojan now uses scheduled tasks that run every minute, being capable of running with both least-privilege user accounts (LUA) and administrator accounts.

The Dyre banking trojan also uses this very same boot persistence mechanism, allowing the malware to function on workstations used by multiple persons, like the ones you'd regularly find in enterprise environments.

GootKit hides in SVCHOST processes

Once the malware is up and running, recent versions of GootKit now inject malicious DLLs in the svchost.exe (Service Host) process.

Other banking trojans, and former GootKit versions included, regularly come packaged as EXE files that attach themselves to the explorer.exe process.

The difference between svchost.exe and explorer.exe processes is that svchost.exe can run in multiple instances, while there's only one explorer.exe process.

IBM's experts assume that, by utilizing DLLs and by injecting itself into one of the many svchost.exe processes that run every second on a PC, the trojan is trying to make the job of antivirus software a lot harder.

Multiple checks for VM environments

Another big change in the way GootKit operates is the addition of VM checks, a feature that many malware categories had been adding in the past year.

VM checks are operations through which malware checks environment variables for common names associated with virtual machines, usually employed by antivirus software and security researchers performing reverse engineering.

GootKit uses a two-stage VM checking process. There are VM checks included in the GootKit dropper, the malware that infects the system and then installs the actual banking trojan, but there are VM checks in the GootKit malware source code itself.

GootKit will check for VM clues in the device’s basic input/output system (BIOS), the MAC address, IDE/SCSI hard drives, and the CPU name. If the trojan finds any clues of a VM, it immediately stops executing.

Currently targeting France and the UK

According to IBM, the most recent GootKit version comes with specialized Web injects that target banks in France and the UK, but there were also a few banks included in the configuration file from Spain and Italy.

"Overall, GootKit is known to be deployed in limited regions," the IBM team explains. "As a result, it only accounts for 4 percent of the global attack volume by financial malware."

The banking trojan market
The banking trojan market

Photo Gallery (2 Images)

GootKit malware receives big update
The banking trojan market
Open gallery