{ "id": "04feea20-03d1-4b75-a3e1-2e2433580950", "created_at": "2026-04-06T00:06:11.351164Z", "updated_at": "2026-04-10T13:11:47.564381Z", "deleted_at": null, "sha1_hash": "f72342c2036d2d7039f2a658d363a2555b0691ec", "title": "Gootkit: the cautious Trojan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 300862, "plain_text": "Gootkit: the cautious Trojan\r\nBy Anton Kuzmenko\r\nPublished: 2021-06-07 · Archived: 2026-04-05 20:33:37 UTC\r\nGootkit is complex multi-stage banking malware that was discovered for the first time by Doctor Web in 2014. Initially it\r\nwas distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries\r\nlater switched to compromised websites where the visitors are tricked into downloading the malware.\r\nGootkit is capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots\r\nand lots of other malicious actions. Its loader performs various virtual machine and sandbox checks and uses sophisticated\r\npersistence algorithms. In 2019, Gootkit stopped operating after it experienced a data leak, but has been active again since\r\nNovember 2020.\r\nGootkit’s victims are mainly located in EU countries such as Germany and Italy. In this article we analyze a recent sample of\r\nGootkit.\r\nTechnical Details\r\nGootkit consists of a (down)loader component written in C++ and the main body written in JS and interpreted by Node.js.\r\nThe main body is a modular framework, containing registration, spyware, VMX detection and other modules.\r\nLoader\r\nThe sample (MD5 97713132e4ea03422d3915bab1c42074) is packed by a custom-made multi-stage packer which decrypts\r\nthe final payload step by step. The last stage is a shellcode that decrypts the original loader executable and maps it into\r\nmemory. After mapping, the original entry point is called. Hence, we can easily unpack the original executable and analyze\r\nit. We detect the Gootkit loader with the verdicts listed in the table below.\r\nMost of the strings are encrypted using XOR encryption and are decrypted at runtime. No other techniques are used to\r\ncomplicate static analysis.\r\nhttps://securelist.com/gootkit-the-cautious-trojan/102731/\r\nPage 1 of 9\n\nString decryption\r\nHowever, to make dynamic analysis more difficult, the Gootkit loader employs lots of different methods to detect virtual\r\nenvironments or debuggers. If any of the virtual machine checks succeed, the loader enters an infinite loop.\r\nSample name check\r\nFull list of VM detection techniques used by the malware:\r\nhttps://securelist.com/gootkit-the-cautious-trojan/102731/\r\nPage 2 of 9\n\nCheck\r\nProhibited\r\nvalue\r\nCRC32 of sample name\r\n0xBC136B46,\r\n0xD84A20AC,\r\n0xEED889C4,\r\n0x58636143,\r\n0xC0F26006,\r\n0x8606BEDD,\r\n0xE8CBAB78,\r\n0x2AB6E04A,\r\n0x31E6D1EA\r\nGetModuleHandle\r\ndbghelp.dll,\r\nsbiedll.dll\r\nGetUserName\r\nCurrentUser,\r\nSandbox\r\nGetComputerName\r\nSANDBOX,\r\n7SILVIA\r\nHKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\SystemBiosVersion\r\nFTNT1,\r\nINTEL-604000,\r\nSMCI,\r\nQEMU,\r\nVBOX,\r\nBOCHS, AMI,\r\nSONI\r\nHKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\VideoBiosVersion VirtualBox\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SystemBiosVersion\r\n55274-640-\r\n2673064-\r\n23950 (Joe\r\nSandbox),\r\n76487-644-\r\n3177037-\r\n23510\r\n(CWSandbox),\r\n76487-337-\r\n8429955-\r\n22614 (Anubis\r\nSandbox)\r\nHKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcess\\0\\ProcessorNameString Xeon\r\n_MEMORYSTATUSEX. ullTotalPhys\r\nLess than\r\n2100000000\r\nhttps://securelist.com/gootkit-the-cautious-trojan/102731/\r\nPage 3 of 9\n\nUuidCreateSequential (this function is based on computer MAC address so return value is used to determine\r\nwhether trojan is running in sandbox or not)\r\n0xF01FAF00\r\n(Dell Inc.),\r\n0x505600\r\n(VMWare,\r\nInc.),\r\n0x8002700\r\n(PCS System\r\nTechnology\r\nGmbH),\r\n0xC2900\r\nVMWare,\r\nInc.), 0x56900\r\n(VMWare,\r\nInc.), 0x3FF00\r\n(Microsoft),\r\n0x1C4200\r\n(Parallels),\r\n0x163E00 \r\n(XenSource)\r\nCRC32 of running process names\r\n0xAEA3ED09,\r\n0x2993125A,\r\n0x3D75A3FF,\r\n0x662D9D39,\r\n0x922DF04,\r\n0xC84F40F0,\r\n0xDCFC6E80\r\nExecution flow\r\nWhen the sample starts, it checks the command line arguments. The available arguments are listed below:\r\nArgument Description\r\n–client no handler\r\n–server no handler\r\n–reinstall\r\niterate over running processes (where process is a loop variable) and kill all processes where process.pid\r\nis not equal to current process PID and process.name equals current filename. After that, copy self and\r\nrun via CreateProcessW\r\n–service set environment variable USERNAME_REQUIRED=TRUE\r\n–test stop execution\r\n–vwxyz download main body from C\u0026C\r\nhttps://securelist.com/gootkit-the-cautious-trojan/102731/\r\nPage 4 of 9\n\nAfter the command line arguments are handled, the sample checks if it’s running inside a virtual machine or being\r\ndebugged. If not, it decrypts the configuration and starts four threads.\r\nThread start routine\r\nUpdate_from_c2\r\nThe first thread that is started tries to download a loader update from \u003cCnC host\u003e/rpersist4/\u003ccrc\u003e, where \u003cCnC host\u003e\r\nis a command-and-control server address and \u003ccrc\u003e is the CRC32 of the first 0x200 bytes of the current file in\r\ndecimal format.\r\nBrowser_inj\r\nThe thread decrypts two embedded MZPE executables (x64 and x86 DLLs), iterates over the running processes and\r\ntries to inject the decrypted DLLs into the process memory of the designated process using the\r\nNtCreateSection/NtMapViewOfSection API. Matching of the process name is done by calculating the CRC32 value\r\nof the process name. For a list of supported browsers, see the table below.\r\nCRC32 Browser name\r\n0xC84F40F0 Chrome\r\n0x662D9D39 Firefox\r\n0x922DF04 Internet Explorer\r\n0x2993125A Microsoft Edge (MicrosoftEdgeCP.exe)\r\n0x3D75A3FF Opera\r\n0xDCFC6E80 Safari\r\n0xEB71057E unknown\r\nThe injected code is called from the main body web injection and traffic sniffing routines to perform a man-in-the-browser attack. To do so, the code patches standard browser functions responsible for certificate validation to allow\r\nself-signed certificates. As a result, attackers are able to inject custom JS code and modify or redirect traffic.\r\nPersistence_service\r\nIf a sample is running under LOCAL_SYSTEM account, the Gootkit persistence mechanism abuses the pending\r\nGPO Windows feature. When a user modifies Pending GPO registry values, he/she has to specify the following\r\nparameters:\r\ncount – count of pending GPOs;\r\npath1, path2, … – path to the special .inf file that contains instructions on how to load GPO;\r\nSection1, Section2, … – name of the section from the INF file.\r\nSo Gootkit creates an .inf file in the same directory as the sample and writes the following values to the\r\nSoftware\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs registry key:\r\ncount – 0x1\r\npath1 – .inf file location\r\nhttps://securelist.com/gootkit-the-cautious-trojan/102731/\r\nPage 5 of 9\n\nSection1 – DefaultInstall\r\nINF file content\r\nNow explorer.exe will load the Group Policy Objects (GPO) whenever it is loaded. Gootkit creates a pending GPO\r\nfor the Internet Explorer Administration Kit (IEAK), which points directly at the INF file. When explorer.exe is\r\nloaded at runtime, it will execute the [DefaultInstall] inside the created file, which will run the Gootkit executable.\r\nIf the sample is running under another account, it creates a service with a random name chosen from\r\n%SystemRoot%, copies itself into the %SystemRoot% folder with the chosen name and deletes itself from the disk.\r\nStop_switch\r\nThe thread looks for a file named uqjckeguhl.tmp in the \\AppData\\Local\\Temp and \\Local Settings\\Temp folders.\r\nWhen the file is found, the malware will stop.\r\nMain body download\r\nBefore downloading the main body from the C\u0026C, the loader tries to find registry keys with the following format:\r\nHKCU\\Software\\AppDataLow\\\u003cpr_string\u003e_\u003ci\u003e, where i is a number starting from 0 and pr_string is a pseudo-random\r\nstring generated when the bot starts. Generation is based on the victim’s PC parameters, so the same value is generated for\r\nthe same PC each time.\r\nEach key contains a maximum chunk of 512,000 bytes (500KB) of encrypted data. If the aforementioned keys were found,\r\ntheir contents will be saved in a newly allocated buffer (used for decryption and decompression). The buffer is then\r\ndecrypted using the same function used for decrypting the configuration, after which the buffer is decompressed.\r\nAfter the unpacking routine, the loader will download the main body from the C\u0026C, calculate its CRC32 and compare it\r\nwith the registry payload CRC (if one exists). If the CRCs are different, the loader will execute the newer version\r\ndownloaded from the C\u0026C. The C\u0026C server will not send the DLL module without the appropriate UserAgent header that\r\nis hardcoded into the sample. The current hardcoded value is: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0)\r\nGecko/21006101 Firefox/25.0.\r\nhttps://securelist.com/gootkit-the-cautious-trojan/102731/\r\nPage 6 of 9\n\nDecrypt function\r\nMain body\r\nThe main body (MD5 20279d99ee402186d1e3a16d6ab9398a, verdict HEUR:Trojan.Win32.Generic) is a Node.js interpreter\r\nwith bundled encrypted JS files. On startup, the main body decrypts the JavaScript files using an RC4-like algorithm with\r\nhardcoded keystream.\r\nInformation about the embedded modules is stored in an array of special file structures that have the following format:\r\nBYTE* name_pointer, BYTE* encrypted_data, DWORD data_size, DWORD encr_flag. These structures are used within\r\nthe decryption routine that reads data_size bytes starting from encrypted_data. This routine decrypts encrypted_data if\r\nencr_flag is set and writes the result into a file with name *name_pointer. The decryption routine iterates over all entries in\r\nthe file information array. Then the decryption execution is transferred to the Node.js interpreter.\r\nFile information array\r\nThe array contains 124 encrypted files, both Node.js system libraries and open-source packages, and malware modules.\r\nStrangely enough, the JS entry point is a file named malware.js.\r\nhttps://securelist.com/gootkit-the-cautious-trojan/102731/\r\nPage 7 of 9\n\nMalware.js initializes global bot variables, collects saved cookies (IE, Firefox, Chromium) and iterates over a list of servers\r\nto find an available C\u0026C.\r\nWhen the malware finds a C\u0026C server, it launches an infinite loop that listens to different internal malware events (some\r\nroutines like cookie collection start without C\u0026C request upon bot startup) and sends the collected data to the C\u0026C via\r\nspecial formatted packets. The malware also listens to the C\u0026C commands and invokes the appropriate handler on each\r\ncommand. To communicate with the modules, the malware uses following packet types:\r\nInternal name Description\r\nSLAVE_PACKET_API_TAKESCREEN Send screenshot to C\u0026C\r\nSLAVE_PACKET_MAIL Send received email info\r\nSLAVE_PACKET_LOGLINE Send log\r\nSLAVE_PACKET_LSAAUTH Send authentication credentials\r\nSLAVE_PACKET_PAGE_FRAGMENT Send web injects data\r\nSLAVE_PACKET_FORM Send grabbed form data\r\nSLAVE_PACKET_LOCAL_VARS Send local bot variables\r\nSLAVE_PACKET_SECDEVICELOG Send secure device event log\r\nSLAVE_PACKET_KEYLOG Send keylogger data\r\nSLAVE_PACKET_WINSPYLOG Send current active window\r\nThere are six types of internal event handlers and corresponding packet formats.\r\nEvent handlers\r\nThe general packet structure is as follows:\r\nLength + 8 (4 bytes)\r\nPacket magic (0xEDB88320 XOR length+8)\r\nPacket data (different for each package type, serialized using protobuf)\r\nhttps://securelist.com/gootkit-the-cautious-trojan/102731/\r\nPage 8 of 9\n\nPacket magic\r\nPacket generation routine\r\nKaspersky products detect this family as Trojan-Downloader.Win32.Injecter, HEUR:Trojan.Win32.Generic, Trojan-Downloader.Win32.Gootkit, Trojan-Banker.Win32.Gootkit. All the details, IoCs, MITRE ATT\u0026CK Framework data, Yara\r\nrules and hashes related to this threat are available to the users of our Financial Threat Intelligence services. To learn more\r\nabout threat hunting and malware analysis, check out expert training by Kaspersky’s GReAT.\r\nIndicators of compromise\r\nMain body (same since 2019)\r\n20279d99ee402186d1e3a16d6ab9398\r\nLoader\r\n5249c568fb2746786504b049bbd5d9c8\r\n97713132e4ea03422d3915bab1c42074\r\n174A0FED20987D1E2ED5DB9B1019E49B\r\n27626f2c3667fab9e103f32e2af11e84\r\nDomains and IPs\r\nkvaladrigrosdrom[.]top\r\nscellapreambulus[.]top\r\nlbegardingstorque[.]com\r\nkerymarynicegross[.]top\r\npillygreamstronh[.]com\r\nSource: https://securelist.com/gootkit-the-cautious-trojan/102731/\r\nhttps://securelist.com/gootkit-the-cautious-trojan/102731/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/gootkit-the-cautious-trojan/102731/" ], "report_names": [ "102731" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433971, "ts_updated_at": 1775826707, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f72342c2036d2d7039f2a658d363a2555b0691ec.pdf", "text": "https://archive.orkl.eu/f72342c2036d2d7039f2a658d363a2555b0691ec.txt", "img": "https://archive.orkl.eu/f72342c2036d2d7039f2a658d363a2555b0691ec.jpg" } }