Español | English
rss facebook linkedin Twitter

Reverse engineering Gootkit

Gootkit - in some places also referred to as Xswkit - is a banking malware written almost entirely in javascript. In this blog post we will go through on reverse engineering the malware to an extent where we are able to decrypt its webinject configuration file. That's being said, the file which contains further instructions about its targets and about how to attack them.

Gootkit comes to an infected machine by a relatively small loader - a Windows executable - which after performing virtual machine detection will download the Node.js engine bound with malware code. This part of the malware is quite heavy, almost reaches 5Mb in size. The javascript code inside is well hidden and encrypted with RC4 algorithm. So let's kick off the analysis with one of these loader samples (MD5 b29089669c444cbdb62d89bf0e3c9ef8).

After successfully unpacking we should be standing at the original entry point at address 4040C7:


Next what we spot is an Aplib decompression routine. Note the magic header check of the DWORD 'AP32' in little-endian order:


Placing a breakpoint at this address and dumping the content of the decompressed buffer, we find another tiny embedded executable which later on will be injected into explorer.exe. This binary indeed contains suspicious strings regarding to VM detection:


Interesting fact about this, that it can be controlled by an environment variable. The malware authors must have reserved this feature for themselves for testing purposes but we can benefit from it too:


What we see here is checking the presence of the environment variable "crackme", then a checksum of its value is calculated and if it matches a certain value it would skip VM detection. The checksum is a variant of the well known CRC32 algorithm. It did not take long to crack it, 'aHzkxc' is a value that Gootkit gladly accepts.

The malware uses hardcoded User-Agent which is checked by the C&C server. The URLs where further payloads are downloaded from:

  • hxxps://lovemeating.space:80/rbody320 (its purpose is not yet known)
  • hxxps://lovemeating.space:80/rpersist2/56080258 (may be persistence module)
  • hxxps://lovemeating.space:80/rbody32 (core)

It uses HTTPS connection over port 80 to communicate. These payloads are decompressed with the API RtlDecompressBuffer.

Next we turn our attention on the decompressed DLL 'rbody32' (MD5 d17f99eab2d8c6f3eb7b7f25b7631976) which is around 5Mb! in size, due to being linked with the Node.js engine. We can observe various references to somethings that look like embedded javascript files:


These records contain offset and size information about each individual script file. You can find the complete list of the embedded script files below in the table. Their names give us a pretty good guess about what each one does:

addressparser.js
assert.js
buffer.js
certgen.js
chardet.js
child_process.js
clienthttp.js
client_proto_cmdterm.js
client_proto_fs.js
client_proto_ping.js
client_proto_registration.js
client_proto_socks.js
client_proto_spyware.js
cluster.js
config_processor.js
console.js
constants.js
crypto.js
dgram.js
dns.js
domain.js
encoding.js
events.js
FastBufferList.js
freelist.js
fs.js
generate_function.js
generate_object_property.js
gootkit_crypt.js
http.js
https.js
http_injection_stream.js
imap_client.js
inconvlite.js
internalapi.js
keep_alive_agent.js
line_reader.js
mailparser.js
mail_spyware.js
malware.js
meta_fs.js
mime.js
mimelib.js
module.js
net.js
node.js
os.js
packet.js
path.js
pop3_client.js
protobuf_compile.js
protobuf_encodings.js
protobuf_schema.js
protobuf_schema_parse.js
protobuf_schema_stringify.js
protobuf_schema_tokenize.js
protocol_buffers.js
punycode.js
querystring.js
readline.js
repl.js
saved_creds.js
sax.js
signed_varint.js
smalloc.js
spyware.js
sqlite3.js
starttls.js
stream.js
streams.js
string_decoder.js
suspend.js
sys.js
tar_stream.js
timers.js
tls.js
tracing.js
tty.js
tunnel.js
url.js
utf7.js
util.js
utils.js
uue.js
varint.js
vm.js
vmx_detection.js
windows.js
xz.js
zeusmask.js
zlib.js
_http_agent.js
_http_client.js
_http_common.js
_http_incoming.js
_http_outgoing.js
_http_server.js
_linklist.js
_stream_duplex.js
_stream_passthrough.js
_stream_readable.js
_stream_transform.js
_stream_writable.js
_tls_common.js
_tls_legacy.js
_tls_wrap.js

As a courtesy, you can download these files from GitHub.

One thing to note is that in these scripts we can often find function calls that are OS dependent and do not form part of the native Node.js engine, such like Windows registry manipulation, process injection, or hooking which is vital for a today's banking malware in order to deceive the web-browser. So, those functions have been implemented in C++ and have been exported through an interface, made them available for use in javascript.

Okay, straight to the point. Where are the webinjects stored?

In 'client_proto_spyware.js' we can find reference to a registry key:


Checking that registry key we can see encrypted binary content:


Tracking this value in the scripts, we find references to a magical function called 'encryptDecrypt()'. However we cannot seem to find where it is actually implemented. Of course, remember: some parts of the malware are still implemented in C++. Looking at rbody32 we can spot the decryption routine which turns out to be a rather simple XOR with some division and multiplication:


Here at S21sec we have collected numerous samples of Gootkit, and what we have observed is that the most affected countries of this threat are France and Italy, targeting among others Societe Generale, Banque Populaire, Le Credit Lyonnais, BNP Paribas, BTP Banque, Credit Cooperatif, Inbank, Banca Popolare di Milano, Credito Valtellinese, BPER Gruppo, Credem, 
Instituto Centrale delle Banche Poplari Italiane, Raiffeisen, Banca Poplare di Ancona, Banca Mediolanum, Intensa San Paolo, Banca Comerciala Romana, Chase, SwedBank, ...


Sonae IM and S21sec strengthen their position in the European cybersecurity market through the acquisition of SysValue.




The acquisition means that Sonae Investment Management (IM) now holds the leading position in Portugal, as the largest pure play cybersecurity entity, and is able to leverage significant synergies between Grupo S21sec Gestión and SysValue.

Sonae Investment Management (IM) has today confirmed its acquisition of SysValue, a cybersecurity services company with key strengths in Auditing, Consulting, Integration, Training and R&D, and a distinctive presence in the Telecom, Financial Services, Energy and Government sectors.

This acquisition, following the Grupo S21sec, transaction in September of 2014, is yet another important milestone in the execution of Sonae IM´s European cybersecurity market leadership and international expansion strategy. More specifically, the company now establishes itself as the clear pure play leader in the Portuguese market.

According to Carlos Alberto Silva, Board Member at Sonae IM, “We are proud of this latest development to strengthen our cybersecurity portfolio, as we believe there is a clear market opportunity for a focused player that has the added benefit of scale. SysValue represents a significant asset to us in Portugal and also at a wider regional level. We will continue seeking organic and inorganic growth opportunities.

João Barreto, Founder and Chairman of the Board of SysValue, echoes these sentiments, “Becoming part of Sonae IM’s cybersecurity strategy is the result of 14 years of dedication to information security and teaming up with S21sec is an opportunity to elevate the delivery of cybersecurity services to unparalleled levels of expertise and sophistication. A broader service offering, the go-to-market of SysValue’s R&D initiatives and the delivery of services internationally will be immediate benefits stemming from this deal.

The integration of SysValue into Sonae IM´s portfolio will also allow the extraction of significant synergies involving the pooling of knowledge and expertise in Technical Delivery and R&D resources, establishment of common back-office structures, alignment of go-to-market strategies, consolidation of positions in key accounts and plenty of cross-selling opportunities.

When thinking about the synergies, Pedro Leite, Chief Delivery Officer and VP Portugal at S21sec, says, “With the acquisition of SysValue, we strengthen our position in the Portuguese market with a team of highly specialized and experienced cybersecurity professionals. As the country´s market leader, we want to contribute to the development of the cybersecurity sector in Portugal and we believe that we have the right team to make it happen.

Sonae IM will be able to further leverage its portfolio companies´ Government sector relationships and activities to reinforce its proactive EU strategy to strengthen the region´s robustness and preparedness when facing cybersecurity incidents. Through S21sec, Sonae IM has the Presidency of the European Cybersecurity Group (ESCG), an alliance of 5 leading European pure play companies.

S21sec
www.s21sec.com

Mulas






Yesterday we saw how Europol published a press release announcing the detention of approximately 700 muleteers all over Europe last February.

These are key operations as they directly affect monetizing of fraud and require participation by international banks, police, security corps and companies for them to take place.

We have been investigating the use of mules in bank frauds since the 21st century, more specifically the operation of bank malware that calls itself ATS. This abbreviation corresponds to the term, Automated Transfer System, and its aim is to act as an automated interface to connect bank Trojans to muleteers captured by the "mule herder.

 interior de un ATS mostrando las conexiones provenientes de la Botnet



Although this has been a very popular attack in recent years, it is in no way new as we have internal records of its use since at least 2011. The fraud process generally consists of the following steps:

1. The user is infected by malware. This normally occurs through a social engineering attack received by mail or during involuntary browsing of an infected web page with an exploit kit.

2. The infected user enters the legal web page of its normal bank and is deceived by the use of social engineering.

3. The deceived user makes the transfer. The malware then connects to the ATS panel which, according to user data, selects a muleteer out of those it has captured to perform the transaction.

4. After performing the transfer, the malware can act in different ways as determined by the cybercriminal: self-elimination, eliminate the operating system or continue as if nothing had happened, falsifying data visible to the user itself.

The graph below shows a general outline of the process.




One of the tasks performed on a daily basis in the department when investigating and analyzing botnets is to check whether the associated malware is able to perform attacks using ATS.

As a result of these analyses, we detected over 150 or so different mules in 2015, prepared to receive transfers made by infected users. The main malware families using these mules were kins, tinba, xswit, pykbot, urlzone and dridex. 

An example of this can be seen below in the location of the muleteers used by tinba botnets.





For us, it is a real challenge to share our work and cooperate with the police and government security companies to try and neutralize and capture all those involved in these fraud schemes, so we are proud to see press releases like the one shown by Europol.

Today, we can be pleased with the work we have done and tomorrow, we will have to detect the 700 mule accounts that are no doubt already being prepared.
  
S21sec



(+34 902 222 521)


24 hours a day, 7 days a week



© Copyright S21sec 2013 - All rights reserved


login