Kaspersky Lab malware analysts wrote in the Securelist blog that they gained access to Gootkit’s command and control (C&C) server.
Kaspersky Lab malware analysts wrote in the Securelist blog that they gained access to Gootkit’s command and control (C&C) server.

Security researchers discovered an upgraded version of the Gootkit bot targeting clients of European banks. Kaspersky Lab malware analysts wrote in the Securelist blog that they gained access to Gootkit's command and control (C&C) server.

Kaspersky Lab anti-bоtnets malwarе analyst Sergey Yunakovsky wrote in an email to SCMagazine.com that the bot affects mostly European countries. The bot also targeted clients of institutions in Germany, France, Italy, Netherlands, Poland, and other countries, the blog stated.

Yunakovsky said while the researchers could not specify from where attackers operate, it appears that their native language is Russian. The threat actors appear to be a cybercriminal group that involves “a highly limited amount of members,” he noted.

Gootkit uses NodeJS as a platform for malware development, Yunakovsky said.

The bot was previously been referred to by researchers as a component in bots and Trojans, and as a “multi-functional backdoor”. The upgraded version of the banking Trojan involves an additional check of the environment variable ‘crackme,' then checks if the program was launched in a virtual environment.

The researchers noted that the upgraded version may remain undetected by researchers for long periods. The bot is “extremely tenacious,” but not widespread, the blog post stated.

In July, IBM researchers reported a prior upgrade to Gootkit that made it more difficult to detect and featured a lighter video-capture module.