{
	"id": "ff8e5546-3508-433b-b052-bb89815652d1",
	"created_at": "2026-04-06T00:09:21.909775Z",
	"updated_at": "2026-04-10T03:20:54.993886Z",
	"deleted_at": null,
	"sha1_hash": "de446da991bee9b91b741d6d7e63119bdfbc266e",
	"title": "Inside the Gootkit C\u0026C server",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1017998,
	"plain_text": "Inside the Gootkit C\u0026C server\r\nBy Alexey Shulmin\r\nPublished: 2016-10-27 · Archived: 2026-04-05 16:21:53 UTC\r\nThe Gootkit bot is one of those types of malicious program that rarely attracts much attention from researchers.\r\nThe reason is its limited propagation and a lack of distinguishing features.\r\nThere are some early instances, including on Securelist (here and here), where Gootkit is mentioned in online\r\nmalware research as a component in bots and Trojans. However, the first detailed analysis was published by\r\nresearchers around two years ago. That was the first attempt to describe the bot as a standalone malicious\r\nprogram, where it was described as a “new multi-functional backdoor”. The authors of that piece of research put\r\nforward the assertion that the bot’s features were borrowed from other Trojans, and also provided a description of\r\nsome of Gootkit’s key features.\r\nIn September 2016, we discovered a new version of Gootkit with a characteristic and instantly recognizable\r\nfeature: an extra check of the environment variable ‘crackme’ in the downloader’s body. This feature was not\r\npresent in the early versions. Just as interesting was the fact that we were able to gain access to the bot’s C\u0026C\r\nserver, including its complete hierarchal tree of folders and files and their contents.\r\nInfection\r\nAs was the case earlier, the bot Gootkit is written in NodeJS, and is downloaded to a victim computer via a chain\r\nof downloaders. The main purpose of the bot also remained the same – to steal banking data. The new Gootkit\r\nversion, detected in September, primarily targets clients of European banks, including those in Germany, France,\r\nItaly, the Netherlands, Poland, etc.\r\nThe Trojan’s main propagation methods are spam messages with malicious attachments and websites containing\r\nexploits on infected pages (Rig Exploit Kit). The attachment in the spam messages contained Trojan-Banker.Win32.Tuhkit, the small initial downloader that launched and downloaded the main downloader from the\r\nC\u0026C server, which in turn downloaded Gootkit.\r\nhttps://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/\r\nPage 1 of 14\n\nExamples of infected pages used to spread the Trojan\r\nWhile carrying out our research we detected a huge number of the initial downloader versions that were used to\r\ndistribute the Trojan – most of them are detected as Trojan.Win32.Yakes. Some of the loaders were extremely odd,\r\nlike the one shown below. It clearly stated in its code that is was a loader for Gootkit.\r\nSection of code from one of the initial downloaders\r\nSome versions of Gootkit are also able to launch the main body with administrator privileges bypassing UAC. To\r\ndo so, the main loader created an SDB file and registered it in the system with the help of the sdbinst.exe utility,\r\nafter which it launched the bot with elevated privileges without notifying the user.\r\n‘Crackme’ check\r\nhttps://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/\r\nPage 2 of 14\n\nThe new version of Gootkit is distinct in that it checks the environment variable ‘crackme’ located in the\r\ndownloader body. It works as follows: the value of the variable is compared to a fixed value. If the two values\r\ndiffer, the bot starts to check if it has been launched in a virtual environment.\r\nChecking the global variable in the downloader’s body\r\nTo do so, the bot checks the variable ‘trustedcomp’, just like it did in earlier versions.\r\nhttps://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/\r\nPage 3 of 14\n\nChecking the bot’s body for launch in a virtual environment\r\nThe Trojan’s main body\r\nThe Trojan’s main file includes a NodeJS interpreter and scripts. After unpacking, the scripts look like this:\r\nhttps://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/\r\nPage 4 of 14\n\nNodeJS scripts that make up the Trojan’s main body\r\nThe scripts shown in the screenshot constitute the main body of the Trojan. Gootkit has about a hundred various\r\nscripts, but they are mostly for practical purposes (intermediate data handlers, network communication DLLs,\r\nwrapper classes implementations, encoders etc.) and not of much interest.\r\nThe Trojan itself is distributed in an encrypted and packed form. Gootkit is encrypted with a simple XOR with a\r\nround key; unpacking is performed using standard Windows API tools. The screen below shows the first 255 bytes\r\nof the transferred data.\r\nThe Trojan’s packed body\r\nThe first three DWORDs denote the sizes of the received, unpacked and packed data respectively. One can easily\r\ncheck this by subtracting the third DWORD from the first DWORD, which leaves 12 bytes – i.e., the size of these\r\nhttps://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/\r\nPage 5 of 14\n\nvariables.\r\nStealing money\r\nInterception of user data is done the standard way, via web injections into HTTPS traffic (examples of these web\r\ninjects are shown below). After the data is sent to the C\u0026C server, it is processed by parsers, each of which is\r\nassociated with the website of a specific bank.\r\nFragment of parser code\r\nCommunication with the C\u0026C\r\nIn the version of Gootkit under review, the C\u0026C address is the same as the address from which the Trojan’s main\r\nbody is downloaded; in earlier versions, these two addresses sometimes differed. While generating a request, the\r\nTrojan uses its unique User Agent – any request that does not specify a User Agent will be denied.\r\nhttps://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/\r\nPage 6 of 14\n\nThe unique GootKit User Agent\r\nCommunication with the C\u0026C comes down to the exchange of a pre-defined set of commands, the main ones\r\nbeing:\r\nRequest a list of files available to the Trojan (P_FS:FS_READDIR);\r\nReceive those files (P_FS:FS_GETFILE/FS_GET_MULTIPLEFILES);\r\nReceive update for the bot (P_FS: FS_GETFILE);\r\nObtain screenshot (P_SPYWARE:SP_SCREENSHOT);\r\nUpload list of processes (P_SPYWARE:SP_PROCESSLIST);\r\nTerminate process (P_SPYWARE:SP_PROCESSKILL);\r\nDownload modules (P_FS: FS_GETFILE);\r\nReceive web injects (P_ SPYWARE:SP_SPYWARE_CONFIG).\r\nThe bot’s main commands and sub-commands\r\nThe C\u0026C addresses (two or three in number) are hardwired in the loader’s body and can also be saved in the\r\nregistry. The body of the data packet may vary depending on the request type, but always includes the following\r\nvariables:\r\nSize of data packet, plus eight;\r\nCheck value XORed with a constant;\r\nhttps://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/\r\nPage 7 of 14\n\nCommand type;\r\nCommand sub-type.\r\nIn the screen below, the C\u0026C requests registration information from the bot during its first launch.\r\nRequest from C\u0026C, example of variables\r\nThe response in this case will contain detailed information about the infected computer, including:\r\nNetwork adapter parameters;\r\nCPU details, amount of RAM;\r\nUser name, computer name.\r\nRegardless of the request type, data is communicated between the C\u0026C and the bot in the format protobuf.\r\nWhen the main body is downloaded, the address that the loader contacts typically ends in one of the following\r\nstrings:\r\n/rbody32;\r\n/rbody64;\r\n/rbody320.\r\nMystery solved…rather easily\r\nWe found a configuration error that often appears on botnet C\u0026C servers and took advantage of it to capture a\r\ncomplete tree of folders and files, as well as their contents, from one of the GootKit C\u0026C servers.\r\nhttps://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/\r\nPage 8 of 14\n\nContents of GootKit C\u0026C server\r\nThe C\u0026C server contains a number of parsers for different banking sites. These parsers are used (provided the\r\nuser data is available) to steal money from user accounts and to send notifications via Jabber. The stolen data is\r\nused in the form of text files, with the infected computer’s IP address used as the file name.\r\nStolen data and logs on the bot’s C\u0026C server\r\nExample of stolen data in one of the text files\r\nOther data (bank transfers and logs) is also stored in text file format.\r\nhttps://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/\r\nPage 9 of 14\n\nParser logs\r\nAn analysis of the bot’s web injects and parser logs has shown that the attackers primarily target the clients of\r\nGerman and French banks.\r\nhttps://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/\r\nPage 10 of 14\n\nDistribution of web injects across domain zones\r\nExcerpts from parser logs\r\nAnalysis of the server content and the parsers made it clear that the botnet’s creator was a Russian speaker. Note\r\nthe comments in the screen below.\r\nhttps://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/\r\nPage 11 of 14\n\nA fragment of script including the author’s comments in Russian\r\nMoreover, Gootkit most probably has just one owner – it’s not for sale anywhere and, regardless of the\r\ndownloaders’ modifications or type of admin panel, the code in NodeJS (the Trojan’s main body) is always the\r\nsame.\r\nhttps://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/\r\nPage 12 of 14\n\nExamples of Gootkit web injects\r\nConclusions\r\nGootkit belongs to a class of Trojans that are extremely tenacious, albeit not very widespread. Because it’s not\r\nvery common, new versions of the Trojan may remain under the researchers’ radar for long periods.\r\nIt should also be noted that the users of NodeJS as a development platform set themselves certain limitations, but\r\nsimultaneously get a substantial degree of flexibility and simplicity when creating new versions of the Trojan.\r\nKaspersky Lab’s security products detect the Trojan GootKit and all its associated components under the\r\nfollowing verdicts:\r\nTrojan-Banker.Win32.Tuhkit (the initial downloader distributed via emails);\r\nhttps://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/\r\nPage 13 of 14\n\nTrojan.Win32.Yakes (some modifications of the main downloader);\r\nHEUR:Trojan.Win32.Generic (the bot’s main body, some modifications of the downloader).\r\nMD5\r\n1c89a85c1a268f6abb34fb857f5b1b6f\r\n7521e82162ed175ad68582dd233ab1ae\r\n9339dcb3571dda122b71fb80de55d0d6\r\nb13378ad831a1e4e60536b6a3d155c42\r\n9ba9f48cda9db950feb4fbe10f61353c\r\nSource: https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/\r\nhttps://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/"
	],
	"report_names": [
		"inside-the-gootkit-cc-server"
	],
	"threat_actors": [],
	"ts_created_at": 1775434161,
	"ts_updated_at": 1775791254,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/de446da991bee9b91b741d6d7e63119bdfbc266e.pdf",
		"text": "https://archive.orkl.eu/de446da991bee9b91b741d6d7e63119bdfbc266e.txt",
		"img": "https://archive.orkl.eu/de446da991bee9b91b741d6d7e63119bdfbc266e.jpg"
	}
}