win.gootkit (Back to overview)

GootKit

aka: talalpek, Xswkit
URLhaus    

Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.

References
https://www.lexsi.com/securityhub/homer-simpson-brian-krebs-rencontrent-zeus-gootkit/
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669
https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/
https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps
https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/
https://www.us-cert.gov/ncas/alerts/TA16-336A
https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/
https://www.youtube.com/watch?v=242Tn0IL2jE
http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html
https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/
http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/
http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html
https://news.drweb.com/show/?i=4338&lng=en
https://www.cyphort.com/angler-ek-leads-to-fileless-gootkit/
https://www.youtube.com/watch?v=QgUlPvEE4aw
https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055