IBM’s X-Force Research team reported that the GootKit banking trojan has recently received a facelift with the malware now being harder to spot and a lighter video-capture module.
GootKit was first spotted in the wile in 2014 and since then has received a steady stream of updates, something IMB’s Cybersecurity Evangelist Limor Kessem expected to continue, but even without any further updates the current incarnation is dangerous enough. Kessem described Gootkit as one of the most dangerous banking Trojans being used, striking primarily French and U.K. banks. IBM believes it is operated by a single gang and is not rented out like other malware
The most dramatic change noted by IBM was the use of a different video capture technology. GootKit modus operandi has it capturing videos of the victim’s desktop while it is being used and then sending this information to its command and control server. Previously, the malware converted the data in MPEG4 which resulted in a large file that had to be transmitted. Now the malware’s developer encode the data with .ivf files.
“This is a peculiar move on GootKit’s part because .ivf files are quite an old format. The codec was popular in the 1990s since it was the first to allow full-speed video playback without using hardware acceleration, Kessem wrote in a blog, adding that .ivf may have been chosen due because modern security software may not search for such an out of date piece of software.
IBM did not say by how much the video file size is reduced using .ivf.
GootKit’s programmers strengthened its ability to evade detection by changing the file type and the process into which it is injected. It is now injected to SVCHOST.EXE in the form of a DLL file. Traditionally banking malware is injected into the explorer.exe process.
“While both processes are commonly run by the system at all times, and both are able to be injected into, perhaps loading GootKit’s DLL through a process that runs multiple different instances at the same time can be confusing to detect. Explorer.exe, in contrast, is a process that only runs as one instance at a time,” Kessem said.
A final new twist is the malware’s level of persistence. The programmers now have the malware written as a scheduled task whereas it had been written to the shell registry so it launched when when the user logged on.