# Threat Spotlight: Gootkit Banking Trojan

**[blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan](https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan)**

Masaki Kasuya, Tatsuya Hasegawa

[RESEARCH & INTELLIGENCE / 04.13.20 /](https://blogs.blackberry.com/en/category/research-and-intelligence) [Tatsuya Hasegawa,](https://blogs.blackberry.com/en/author/tatsuya-hasegawa) [Masaki Kasuya](https://blogs.blackberry.com/en/author/masaki-kasuya)

Gootkit is a sophisticated banking Trojan which can perform various malicious activities such as:
web injection, taking screenshots, video recording, email parsing, and so on. Gootkit emerged
during the summer of 2014 but is still active, making it a viable threat to financial institutions to
this day.

[BlackBerry most recently observed a Gootkit campaign via AZORult infostealer malware in](https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html)
February, March, and April of 2019. Our monitoring revealed the threat actor changed Gootkit
hosting domain names constantly and created Gootkit variants almost daily. Its core module
contains several JavaScript files and the node.js runtime environment, so as a result, its file size
tends to be large. In fact, our analyzed sample was over 6 MB.

This technical blog covers information on the Gootkit/AZOrult campaign and presents the results
of our latest analysis. While we found a few dozen Gootkit samples, we focused on the latest
samples (a3c243afceb1fb38f25ae81816891d7d7c11ae76e80a43f31d2ceb9833f2f3df). This
variant aimed to steal login accounts from users of five French banks.

## Technical Analysis

### Gootkit via AZORult

[In a previous blog on AZORult, BlackBerry examined the protocol used by the malware to](https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html)
communicate with command-and-control (C2) servers. We implemented a custom scanner to
monitor the C2 servers and download and parse configuration settings. The scanner caught some
Gootkit campaigns via AZORult occurring on the dates below:


-----

1. Feb. 9 2019 - Feb. 11 2019,
2. Feb. 15 2019 - Mar 7 2019.
3. Mar. 12 2019 - Mar 13 2019.
4. Mar. 31 2019 - Apr. 1 2019.

The threat actor generated Gootkit variants almost every day and used a variety of malware
hosting domain names. For more detail of the campaign information, see Table 1 and Table 2:

**SHA256 (Gootkit)** **Gootkit Delivery URL** **Date**


879b1f79cbd105ff52ac9a0b01cee4be
f921df59e72fb7f5e41db48430ca9a85

1d62fec40f14dd0458556f0211529df88
d19fe0249d195d6153388610c5525df

b9440e407b971def1d8a3d19c2da0e81
145aad4b29e51602fc11f566e9854537

d01defb4fe8db26ea0151afa1c4e817db
1aba1c8464127110f7ef860164ed79a

6b19c0ec581ca24ef2a35d37af523ab2a
f19740585ad653d98593a057268e01c

2a1dd210ed71e33e58aadd9157eebb35
ad38eb70cb182d244a8f9879f195b930

1b052c6d721f4dc36b3e58192ac6c664
d43aec8f15fcd2a8f91616f705192ebb

6a9b222b7be97ed608bcbef6dc05cff9f
b16ae9a31a08e719857cad6146dc8d7


hxxp://hairpd[.]com/stat/sputik[.]exe Feb
9
2019

hxxp://camdunki[.]com/gx/Aleto[.]exe Feb
11
2019

hxxp://camdunki[.]com/gx/wipip[.]exe Feb
15
2019

hxxp://chermin[.]tweakdsl[.]nl/loges/tlss[.]exe Feb
16
2019

hxxp://chermin[.]tweakdsl[.]nl/loges/tlss[.]exe Feb
17
2019
                                  Feb
18
2019

hxxp://chermin[.]tweakdsl[.]nl/loges/tlss[.]exe Feb
18
2019

hxxp://chermin[.]tweakdsl[.]nl/loges/tlss[.]exe Feb
19
2019

hxxp://chermin[.]tweakdsl[.]nl/loges/tlss[.]exe Feb
20
2019


-----

e67ec7af646f6b9bdfe59e3549f84bd30
71c72386de57e9a9a5fe58982dbdd49

5eb54a536d9b560b79c7113efa5eebcb
e21e9aede3f751d14a98b38c829a53b5

6c2d6abc2e130092f414d4f64adeb22d
ac56e8f802d4250c84db62a563bf99ec

9f6881386d0ff9a0cd2bc49da21b999d1
3e4ebdc858bdad755ee26898c567a3d

ab54b89a75ee9d858b734e927ff16aef3
d5c8137552c9973864d7eed8aa5e472

3974b0985d524dd38a9d040c9eaf880c
421411210e0bdd577ac2306f6471a413

81a2c4c708c13338ed7aac439aa876c5
e1d2116afb23e7cf8a345a05ebd55eed

fb05723ac5960a5776d7432429998d4a
48a3f7e74761046352c16712208bd983

983b39b339bc62a09c20ea2f1b1360e1
7bf9431587e2a257ec4f3a62b4489ff4


hxxp://chermin[.]tweakdsl[.]nl/loges/tlss[.]exe Feb
21
2019

hxxp://chermin[.]tweakdsl[.]nl/loges/zip[.]exe Feb
22
2019
AM

hxxp://chermin[.]tweakdsl[.]nl/loges/zip[.]exe Feb
22
2019
PM

hxxp://chermin[.]tweakdsl[.]nl/loges/zip[.]exe Feb
23
2019

hxxp://chermin[.]tweakdsl[.]nl/loges/zip[.]exe Feb
23
2019
-Feb
24
2019

hxxp://chermin[.]tweakdsl[.]nl/loges/remove[.]exe Feb
24
2019
                                  Feb
25
2019

hxxp://chermin[.]tweakdsl[.]nl/loges/Atrip[.]exe Feb
26
2019


hxxp://chermin[.]tweakdsl[.]nl/loges/
DlKitlMNdktild[.]exe

hxxp://chermin[.]tweakdsl[.]nl/loges/
aHdBhBjUhBHm[.]exe


Feb
28
2019
AM

Feb
28
2019
PM


-----

212aeaf6cec0884743c2c3079dab17eb
581dc28329be3e023f62c751cd01169f

fcbe6c55b2b092b1d97aa2d8a9ac6f356
5b10c47ae7d59b08552d0e2ee11d102

729502b7b074e55f1e7d364ae3917043
76480a28081ca0d7eba4495fca3b1367

e70a9cfd7c9f1a23d00cdc5eba866ea6
c80a4a555498f8d0feba58a765b9aa39

d5ba0f1c01cf12f57cca93996d2f87191
c9420afbbd116d3757060d780338d29

5766bffa91f87cd08582fac05209c5d8d
9356ad88e15499038dc624c0ccbc468

c1ae38afb6c82b9107868d66318095f1
c00f1e92dddc0ee953c23a8de4ace353


hxxp://chermin[.]tweakdsl[.]nl/loges/Astart[.]exe Mar
1
2019
AM

hxxp://chermin[.]tweakdsl[.]nl/loges/Astart[.]exe Mar
1
2019
PM

hxxp://kbhookah[.]com/loggers/repost[.]exe Mar
2
2019
                                  Mar
4
2019

hxxp://kbhookah[.]com/loggers/repost[.]exe Mar
5
2019


hxxp://new[.]eltrans53[.]ru/uploads/utf8[.]exe Mar
12
2019
                                  Mar
13
2019


hxxp://startintern[.]terweij[.]nl/wpadmin/repox[.]exe

hxxp://startintern[.]terweij[.]nl/wpadmin/repox[.]exe


Mar
6
2019

Mar
7
2019


_Table 1: Gootkit campaign from ssl[.]admin[.]itybuy[.]it (an AZORult C2 server)_

**SHA256 (Gootkit)** **Gootkit Delivery URL** **Date**


-----

a3c243afceb1fb38f25ae81816891d7d
7c11ae76e80a43f31d2ceb9833f2f3df


hxxp://ccleanerhome[.]com/fonts/igfpers[.]exe Mar 31
2019 Apr 1
2019


_Table 2: Gootkit campaign from triangularty[.]com (an AZORult C2 server)_

## Loader and Core DLL Module

Gootkit has two modules: the loader and the core DLL module, as shown in Figure 1 below. The
loader is used for evasion, persistence, and downloading the core DLL module. Once the loader
downloads the core DLL module, Gootkit can perform malicious actions such as:

Web injection
Key logging
Launching VNC server
Recording video

_Figure 1: Two modules of Gootkit: Loader and Core DLL Module_

## Evasion

Gootkit uses many evasion techniques, including anti-VM (virtual machine), anti-debug, and antisandbox. It performs the following evasive activities:

1.  Check loaded DLL files related to Sandbox technology and debugging by detecting the
following strings:
a.  dbghelp.dll (Windows standard debugger’s module)
b.  sbiedll.dll (software Sandboxie’s module)


-----

2.  Check usernames by detecting the following strings:
a.  CurrentUser
b.  Sandbox

3.  Check computer names by detecting the following strings.
a.  SANDBOX
b.  7SILVIA

4.  Check registry keys related to the Hardware BIOS information by detecting the strings shown
in Table 3:

**Registry Key** **Registry Entry** **Data**

HKLM\HARDWARE\DESCRIPTION\System SystemBiosVersion AMI
BOCHS
QEMU
SMCI
INTEL –
6040000
FTNT-1
VBOX
SONI

HKLM\HARDWARE\DESCRIPTION\System VideoBiosVersion VirtualBox

HKLM\Software\Microsoft\Windows\CurrentVersion SystemBiosVersion 55274-640267306423950
(this value is
associated
with
JoeSandbox )
76487-644317703723510
( this value is
associated
with
CWSandbox )
76487-337842995522614
( this value is
associated
with Anubis )

_Table 3: Registry check for evasion_

Hardware SystemBiosVersion checking code is shown in Figure 2:


-----

_Figure 2: Hardware SystemBiosVersion check for evasion_

In addition, the evasive techniques are anti-forensic. Meaningful strings shown in Table 3 are
stored in temporary heap memory. At the end of this evasion function, the allocated heap memory
is released by using RtlFreeHeap and HeapFree (see Figure 3). The purpose of the evasion is to
make memory forensics more difficult to perform:

_Figure 3: Erasing meaningful strings with RtlFreeHeap and HeapFree API_

## Persistence

Gootkit uses Pending GPO (see Figure 4) to relaunch the malware after reboot. First, it drops an
.inf file under the same directory as the Trojan file. The base filename of the INF file is the same
as the malware file. For example, if the filename of Gootkit is “igfpers.exe”, the .inf file name is
“igfpers.inf”:

_Figure 4: An .inf file created by Gootkit_


-----

Gootkit then creates three registry values: Count, Path1, and Section1 under
“HKCU\Software\Microsott\IEAK\GroupPolicy\PendingGPOs” as shown in Figure 5. “Path1”
contains the full path of the .inf file and “Section1” refers to a section name (“DefaultInstall”)
written in the .inf file:

Figure 5: Registry values for its persistence

## Core DLL Module Installation

Gootkit loader launches itself using the “--vwxyz” options. It then downloads an encoded DLL
module from the C2 server and injects it into a Gootkit process. The C2 server will not send the
DLL module without the appropriate “UserAgent”. Once it receives a valid response from the C2
server, Gootkit splits the encoded DLL module into chunks. Each chunk size is 512,000 bytes (at
most) and is saved under “HKCU\Software\AppData\Low\finget_{index number}” (See Figure 6).
After reboot, Gootkit loads the data from registry keys and concatenates all chunks into an
encoded DLL. This results in the core DLL module becoming fileless:

_Figure 6: Registry values for its persistence_

The DLL module is decrypted and decompressed by “RTLDecompressBuffer”. Gootkit then
allocates a new memory section to the current process and copies it into the allocated memory.

The DLL module contains JavaScript files for performing malicious activity. During our
investigation, we found over a hundred embedded JS files. Most of them are innocent (Node.js
library). However, some JavaScript files are intended for malicious purposes such as


-----

malware.js, spyware.js, zeusmask.js, and so on. Malicious JavaScript codes are responsible
for backdoor functions which allow Gootkit to:

Update the DLL
Launch VNC server
Capture keystrokes
Inject malicious scripts for stealing online banking credentials
Record video
Steal email
Perform other malicious actions

In addition, a JavaScript file is designed to detect VM environments (Figure 7):

_Figure 7: VM check_

## Banking Trojan

The DLL module receives web injection code from its C2 server and tries to steal login accounts
from victims who used five French banks. Figure 9 shows a code snippet of web injection script.
The threat monitors the victim’s web browser and steals credentials when the French banks are
accessed. The link at the bottom of Figure 8 stored a French-bank-specific script:


-----

_Figure 8: A web injection script against a French bank_

A JavaScript code targeting one French bank was also able to steal PIN numbers.

Cautious users might choose to use a software keyboard to input sensitive information on online
banking websites. However, Gootkit displays a fake software keyboard designed to steal user
input (and the victim’s PIN number).

## Conclusion

This blog covered a Gootkit campaign that spread using AZORult infostealer. During this
campaign, attackers constantly changed the hash values of Gootkit and the hosting URLs. Based
upon our monitoring, the campaign was active between February and April 2019. The sample we
analyzed was aimed at stealing banking information from users of five French banks. Gootkit is
still being actively used against victims in EU regions.

[If you are using BlackBerry’s endpoint protection solution CylancePROTECT®, you are](https://www.cylance.com/en-us/platform/products/cylance-protect.html)
proactively protected from Gootkit. Blackberry uses artificial intelligence-based agents trained for
threat detection on millions of both safe and unsafe files. Our automated security agents block
Gootkit based on countless file attributes and malicious behaviors instead of relying on a specific
file signature. CylancePROTECT, which offers a [predictive advantage over zero-day threats, is](https://threatvector.cylance.com/en_us/home/cylance-vs-future-threats-the-predictive-advantage.html)
trained on and effective against both new and legacy cyberattacks.

[For more information visit https://www.cylance.com and](https://www.cylance.com/) [https://www.blackberry.com/us/en.](https://www.blackberry.com/us/en)

## Appendix

### Indicators of Compromise (IOCs)


-----

**Hashes**
o  Gootkit loader:

a3c243afceb1fb38f25ae81816891d7d7c11ae76e80a43f31d2ceb9833f2f3df
c1ae38afb6c82b9107868d66318095f1c00f1e92dddc0ee953c23a8de4ace353
5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468
d5ba0f1c01cf12f57cca93996d2f87191c9420afbbd116d3757060d780338d29
e70a9cfd7c9f1a23d00cdc5eba866ea6c80a4a555498f8d0feba58a765b9aa39
729502b7b074e55f1e7d364ae391704376480a28081ca0d7eba4495fca3b1367
fcbe6c55b2b092b1d97aa2d8a9ac6f3565b10c47ae7d59b08552d0e2ee11d102
212aeaf6cec0884743c2c3079dab17eb581dc28329be3e023f62c751cd01169f
983b39b339bc62a09c20ea2f1b1360e17bf9431587e2a257ec4f3a62b4489ff4
fb05723ac5960a5776d7432429998d4a48a3f7e74761046352c16712208bd983
81a2c4c708c13338ed7aac439aa876c5e1d2116afb23e7cf8a345a05ebd55eed
3974b0985d524dd38a9d040c9eaf880c421411210e0bdd577ac2306f6471a413
ab54b89a75ee9d858b734e927ff16aef3d5c8137552c9973864d7eed8aa5e472
9f6881386d0ff9a0cd2bc49da21b999d13e4ebdc858bdad755ee26898c567a3d
6c2d6abc2e130092f414d4f64adeb22dac56e8f802d4250c84db62a563bf99ec
5eb54a536d9b560b79c7113efa5eebcbe21e9aede3f751d14a98b38c829a53b5
e67ec7af646f6b9bdfe59e3549f84bd3071c72386de57e9a9a5fe58982dbdd49
6a9b222b7be97ed608bcbef6dc05cff9fb16ae9a31a08e719857cad6146dc8d7
1b052c6d721f4dc36b3e58192ac6c664d43aec8f15fcd2a8f91616f705192ebb
2a1dd210ed71e33e58aadd9157eebb35ad38eb70cb182d244a8f9879f195b930
6b19c0ec581ca24ef2a35d37af523ab2af19740585ad653d98593a057268e01c
d01defb4fe8db26ea0151afa1c4e817db1aba1c8464127110f7ef860164ed79a
b9440e407b971def1d8a3d19c2da0e81145aad4b29e51602fc11f566e9854537
1d62fec40f14dd0458556f0211529df88d19fe0249d195d6153388610c5525df
879b1f79cbd105ff52ac9a0b01cee4bef921df59e72fb7f5e41db48430ca9a85

**Domain names**
o  Gootkit’s C2 server:

sillikogermin[.]com
feferturietan[.]com
manjuorlidnqo[.]com
chechelderpos[.]com
kalamindridro[.]com
avant-garde[.]host
kinzhal[.]online
servicemanager[.]icu
partnerservice[.]xyz
Location of web injection script
mabanquesecure[.]com


-----

**URLs**
o  Location of Gootkit DLL

sillikogermin[.]com/rbody32

**C2s/IPs**
o  Gootkit delivery URL

hxxp://ccleanerhome[.]com/fonts/igfpers[.]exe
hxxp://new[.]eltrans53[.]ru/uploads/utf8[.]exe
hxxp://startintern[.]terweij[.]nl/wp-admin/repox[.]exe
hxxp://kbhookah[.]com/loggers/repost[.]exe
hxxp://chermin[.]tweakdsl[.]nl/loges/Astart[.]exe
hxxp://chermin[.]tweakdsl[.]nl/loges/aHdBhBjUhBHm[.]exe
hxxp://chermin[.]tweakdsl[.]nl/loges/DlKitlMNdktild[.]exe
hxxp://chermin[.]tweakdsl[.]nl/loges/Atrip[.]exe
hxxp://chermin[.]tweakdsl[.]nl/loges/remove[.]exe
hxxp://chermin[.]tweakdsl[.]nl/loges/zip[.]exe
hxxp://chermin[.]tweakdsl[.]nl/loges/tlss[.]exe
hxxp://camdunki[.]com/gx/wipip[.]exe
hxxp://camdunki[.]com/gx/Aleto[.]exe
hxxp://hairpd[.]com/stat/sputik[.]exe

**Persistence**
o  .INI file
   -  e.g., C:\Users\USERNAME\Desktop\igfpers.inf
o  Registry Key
   -  HKCU\Software\Microsott\IEAK\GroupPolicy\PendingGPOs
o  Registry Value / Data
    -  Path1 / Path to Gootkit loader
_▪  Section1 / DefaultInstall (It points to a section in .inf file)_

**Interesting Strings**
o  --vwxyz (An option for new process creation to download Gootkit DLL from its C2
server)

## About Masaki Kasuya

Senior Threat Researcher at BlackBerry Cylance Japan


-----

[Masaki Kasaki started his professional career as Security Engineer at a large e-commerce](https://www.linkedin.com/in/masaki-kasuya-ph-d-016084a6/)
company and earned practical experience in malware analysis, penetration testing, incident
response, and corporate IT security. His Ph.D. dissertation sought how to stimulate stealthy
malware’s behavior. While he was Ph.D. student, he received student paper award and student
presentation award. He holds SANS GREM, GCFA, GCIH, GCIA and GMOB.

## About Tatsuya Hasegawa

Senior Threat Researcher at BlackBerry Cylance

[Tatsuya Hasegawa is a Senior Threat Researcher in APAC at BlackBerry, and is responsible for](https://www.linkedin.com/in/tatsuya-hasegawa-aa3279142/)
malware analysis and sandbox technology. He has practical experience in the both managed
security service provider as a security analyst and CSIRT as an incident handler. His certifications
include: GREM, GCIH, GCFA, GXPN, GPEN and CISSP.

Back


-----