GootKit (Malware Family)

GootKit

aka: talalpek, Xswkit

URLhaus

Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.

References

https://www.lexsi.com/securityhub/homer-simpson-brian-krebs-rencontrent-zeus-gootkit/

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669

https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/

https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps

https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/

https://www.us-cert.gov/ncas/alerts/TA16-336A

https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/

https://www.youtube.com/watch?v=242Tn0IL2jE

http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html

https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/

http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/

http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html

https://news.drweb.com/show/?i=4338&lng=en

https://www.cyphort.com/angler-ek-leads-to-fileless-gootkit/

https://www.youtube.com/watch?v=QgUlPvEE4aw

https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055

rule win_gootkit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 8b7df4 32c0 8b4de4 f3aa }
            // n = 4, score = 6000
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   32c0                 | xor                 al, al
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   f3aa                 | rep stosb           byte ptr es:[edi], al

        $sequence_1 = { 8955cc 8945e0 83c108 8b4638 }
            // n = 4, score = 5000
            //   8955cc               | mov                 dword ptr [ebp - 0x34], edx
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   83c108               | add                 ecx, 8
            //   8b4638               | mov                 eax, dword ptr [esi + 0x38]

        $sequence_2 = { 56 ff750c ff7508 ff7704 }
            // n = 4, score = 5000
            //   56                   | push                esi
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff7704               | push                dword ptr [edi + 4]

        $sequence_3 = { bb00d00700 03cf 8bc3 395df4 }
            // n = 4, score = 5000
            //   bb00d00700           | mov                 ebx, 0x7d000
            //   03cf                 | add                 ecx, edi
            //   8bc3                 | mov                 eax, ebx
            //   395df4               | cmp                 dword ptr [ebp - 0xc], ebx

        $sequence_4 = { 803c195c 746a 49 79f7 }
            // n = 4, score = 5000
            //   803c195c             | cmp                 byte ptr [ecx + ebx], 0x5c
            //   746a                 | je                  0x24229f0
            //   49                   | dec                 ecx
            //   79f7                 | jns                 0x2422980

        $sequence_5 = { c1e108 03c8 0fb6470a 51 }
            // n = 4, score = 5000
            //   c1e108               | shl                 ecx, 8
            //   03c8                 | add                 ecx, eax
            //   0fb6470a             | movzx               eax, byte ptr [edi + 0xa]
            //   51                   | push                ecx

        $sequence_6 = { 8945e0 83c108 8b4638 6a04 }
            // n = 4, score = 5000
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   83c108               | add                 ecx, 8
            //   8b4638               | mov                 eax, dword ptr [esi + 0x38]
            //   6a04                 | push                4

        $sequence_7 = { 32c0 8bda 56 f3aa }
            // n = 4, score = 5000
            //   32c0                 | xor                 al, al
            //   8bda                 | mov                 ebx, edx
            //   56                   | push                esi
            //   f3aa                 | rep stosb           byte ptr es:[edi], al

        $sequence_8 = { 3bf1 7606 3bf0 777b }
            // n = 4, score = 5000
            //   3bf1                 | cmp                 esi, ecx
            //   7606                 | jbe                 0x2421f0c
            //   3bf0                 | cmp                 esi, eax
            //   777b                 | ja                  0x2421f85

        $sequence_9 = { 5d c3 8d3419 85f6 }
            // n = 4, score = 5000
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8d3419               | lea                 esi, dword ptr [ecx + ebx]
            //   85f6                 | test                esi, esi

    condition:
        7 of them
}

GootKit Propose Change

References

GootKit