Español | English
rss facebook linkedin Twitter

Reverse engineering Gootkit

Gootkit - in some places also referred to as Xswkit - is a banking malware written almost entirely in javascript. In this blog post we will go through on reverse engineering the malware to an extent where we are able to decrypt its webinject configuration file. That's being said, the file which contains further instructions about its targets and about how to attack them.

Gootkit comes to an infected machine by a relatively small loader - a Windows executable - which after performing virtual machine detection will download the Node.js engine bound with malware code. This part of the malware is quite heavy, almost reaches 5Mb in size. The javascript code inside is well hidden and encrypted with RC4 algorithm. So let's kick off the analysis with one of these loader samples (MD5 b29089669c444cbdb62d89bf0e3c9ef8).

After successfully unpacking we should be standing at the original entry point at address 4040C7:


Next what we spot is an Aplib decompression routine. Note the magic header check of the DWORD 'AP32' in little-endian order:


Placing a breakpoint at this address and dumping the content of the decompressed buffer, we find another tiny embedded executable which later on will be injected into explorer.exe. This binary indeed contains suspicious strings regarding to VM detection:


Interesting fact about this, that it can be controlled by an environment variable. The malware authors must have reserved this feature for themselves for testing purposes but we can benefit from it too:


What we see here is checking the presence of the environment variable "crackme", then a checksum of its value is calculated and if it matches a certain value it would skip VM detection. The checksum is a variant of the well known CRC32 algorithm. It did not take long to crack it, 'aHzkxc' is a value that Gootkit gladly accepts.

The malware uses hardcoded User-Agent which is checked by the C&C server. The URLs where further payloads are downloaded from:

  • hxxps://lovemeating.space:80/rbody320 (its purpose is not yet known)
  • hxxps://lovemeating.space:80/rpersist2/56080258 (may be persistence module)
  • hxxps://lovemeating.space:80/rbody32 (core)

It uses HTTPS connection over port 80 to communicate. These payloads are decompressed with the API RtlDecompressBuffer.

Next we turn our attention on the decompressed DLL 'rbody32' (MD5 d17f99eab2d8c6f3eb7b7f25b7631976) which is around 5Mb! in size, due to being linked with the Node.js engine. We can observe various references to somethings that look like embedded javascript files:


These records contain offset and size information about each individual script file. You can find the complete list of the embedded script files below in the table. Their names give us a pretty good guess about what each one does:

addressparser.js
assert.js
buffer.js
certgen.js
chardet.js
child_process.js
clienthttp.js
client_proto_cmdterm.js
client_proto_fs.js
client_proto_ping.js
client_proto_registration.js
client_proto_socks.js
client_proto_spyware.js
cluster.js
config_processor.js
console.js
constants.js
crypto.js
dgram.js
dns.js
domain.js
encoding.js
events.js
FastBufferList.js
freelist.js
fs.js
generate_function.js
generate_object_property.js
gootkit_crypt.js
http.js
https.js
http_injection_stream.js
imap_client.js
inconvlite.js
internalapi.js
keep_alive_agent.js
line_reader.js
mailparser.js
mail_spyware.js
malware.js
meta_fs.js
mime.js
mimelib.js
module.js
net.js
node.js
os.js
packet.js
path.js
pop3_client.js
protobuf_compile.js
protobuf_encodings.js
protobuf_schema.js
protobuf_schema_parse.js
protobuf_schema_stringify.js
protobuf_schema_tokenize.js
protocol_buffers.js
punycode.js
querystring.js
readline.js
repl.js
saved_creds.js
sax.js
signed_varint.js
smalloc.js
spyware.js
sqlite3.js
starttls.js
stream.js
streams.js
string_decoder.js
suspend.js
sys.js
tar_stream.js
timers.js
tls.js
tracing.js
tty.js
tunnel.js
url.js
utf7.js
util.js
utils.js
uue.js
varint.js
vm.js
vmx_detection.js
windows.js
xz.js
zeusmask.js
zlib.js
_http_agent.js
_http_client.js
_http_common.js
_http_incoming.js
_http_outgoing.js
_http_server.js
_linklist.js
_stream_duplex.js
_stream_passthrough.js
_stream_readable.js
_stream_transform.js
_stream_writable.js
_tls_common.js
_tls_legacy.js
_tls_wrap.js

As a courtesy, you can download these files from GitHub.

One thing to note is that in these scripts we can often find function calls that are OS dependent and do not form part of the native Node.js engine, such like Windows registry manipulation, process injection, or hooking which is vital for a today's banking malware in order to deceive the web-browser. So, those functions have been implemented in C++ and have been exported through an interface, made them available for use in javascript.

Okay, straight to the point. Where are the webinjects stored?

In 'client_proto_spyware.js' we can find reference to a registry key:


Checking that registry key we can see encrypted binary content:


Tracking this value in the scripts, we find references to a magical function called 'encryptDecrypt()'. However we cannot seem to find where it is actually implemented. Of course, remember: some parts of the malware are still implemented in C++. Looking at rbody32 we can spot the decryption routine which turns out to be a rather simple XOR with some division and multiplication:


Here at S21sec we have collected numerous samples of Gootkit, and what we have observed is that the most affected countries of this threat are France and Italy, targeting among others Societe Generale, Banque Populaire, Le Credit Lyonnais, BNP Paribas, BTP Banque, Credit Cooperatif, Inbank, Banca Popolare di Milano, Credito Valtellinese, BPER Gruppo, Credem, 
Instituto Centrale delle Banche Poplari Italiane, Raiffeisen, Banca Poplare di Ancona, Banca Mediolanum, Intensa San Paolo, Banca Comerciala Romana, Chase, SwedBank, ...


2 comentarios:

Unknown said...

I'm a student at security and as my project, I should analyze GootKit. I'm only a little familiar with only ollydbg and IDApro.
So, in first step, I don't know how to unpack this malware and find the entry point of it to begin my analyze.
Could you please introduce me a good document , so I know how to begin my project.
I have spend tow weeks reading different documents about reverse engineering tools such as DynamoRIO or sandboxes like cuckoo, But unfortunately I could't get any result.
I'm confused and tired.
Could you help me please?
Thanks a lot in advance.

S21sec e-crime said...

Hello! Gootkit is an advanced level malware, it might be too hard for someone relatively new at debugging and reverse engineering malicious code. Nevertheless, if you decide to go on, we can recommend you the LENA series and the unpacking tutorials from tuts4you. (just google "tuts4you lena" and "tuts4you unpacking"). Hope you find these useful, good luck!


(+34 902 222 521)


24 hours a day, 7 days a week



© Copyright S21sec 2013 - All rights reserved


login