A malware researcher uncovered an updated strain of the infamous GootKit Trojan which was initially discovered in 2014 as an extremely powerful banking virus.
GootKit Trojan Now Updated
A security researcher has uncovered that the infamous GootKit Trojan is now updated. This is a very old threat having been discovered originally in the summer of 2014. It is used as a potent banking Trojan which conducts online banking fraud upon infection. The update features a new network interception technique which uses proxies to route the malicious traffic instead of modifying the running browser processes. GootKit is also now capable of bypassing certification authority validation by hooking relevant APIs. The new versions makes it very hard for security software to detect the active infections. A more thorough analysis reveals that the banking malware uses three main modules:
- The Loader – This is the first-stage part of the Trojan which sets up the persistent environment. Any updates to the main code are performed by it.
- The Main Module – It is based on a Node.JS engine which is flexible and can be customized easily by experienced programmers.
- Browser Injection Module – This is the newest addition as in previous versions this functionality was performed by the Loader.
Upon infection the virus first sets up a persistent environment for itself by manipulating a group policy object (GPO) entry located in the Windows Registry. This alternative method is preferred by the hackers to avoid detection by automated security solutions. The Main Module creates a proxy server which works in conjunction with the new browser injection module. The interesting thing about the included proxy service is that it uses the standard network ports for transmitting the data. However the listening port is hardcoded to port 6000, a value which can be changed in customized versions of the threat.
Network communication with the remote C&C servers and the criminal operator is done after several verification steps re done by the program. The newly updated iteration is also known for bypassing any security certification error prompts which makes active infections more difficult to spot.
The Trojan infected computers and launched campaigns mostly in Europe in last year. Some of the major targets include financial institutions in France, Italy and the United Kingdom. It is also ranked in the top 10 ranking of the most active financial malware families per attack volume.
As always such dangerous viruses can be easily removed with the use of a quality anti-malware tool.