Gootkit Banking Malware

We have developed TIPpers, which are incidents the ThreatConnect Research team flags for your awareness, so your organization can take decisive action.

TIPper: Gootkit Banking Malware

This incident involves malware used to steal credentials from an infected machine, in this case targeting financial institutions. Once the domain matches with the target list, the malware injects a javascript hosted by ajax-load[.]ru. The script steals the credential when the user logs in and sends them back to the command and control server. The malware also captures video of the web session, compresses it, and uploads it to the command and control server.  Please see the incident details for additional details including associated file hashes and command and control nodes.

  • Malware features:
    • Vnc.
    • Capture video for every Windows session
    • Webpage injection
    • Steal credential via webpage injection
    • Process injection
    • The core of the malware is written in javascript
    • Sock tunnel

For additional details, current ThreatConnect users can access this incident by searching for incident “20160205A” in the ThreatConnect Platform.

If you do not have a ThreatConnect account, click HERE to access our Free Edition as well as 30-day access to our Subscriber Community.  ThreatConnect’s Free Edition allows you to establish a basic threat intelligence practice, collaborate with your internal team, protect your organization with open source threat data, bulk import cyberthreat indicators, contribute to the ThreatConnect Community, and receive support and validation from outside researchers and analysts also using the platform.  The Subscriber Community includes timely notification of threat incidents identified by the ThreatConnect Research team, an exclusive service offered at no additional charge to paying customers.

About the Author

With ThreatConnect, security analysts can simultaneously coordinate with incident response, security operations and risk management teams while aggregating data from trusted communities. Your team will be better equipped to protect the organization from modern cyber threats, mitigate risk and address strategic business needs all thorough a single, robust platform.