Skip to content
Malware family

GootKit

GootKit is a mature banking Trojan that has been active for more than half a decade and is centered on banking credential theft.

Profile source: Mallory opens in a new tab

GootKit

Family profile

GootKit is a mature banking Trojan that has been active for more than half a decade and is centered on banking credential theft. The content also describes it as a highly evasive information stealer and remote access Trojan (RAT) used to establish a persistent foothold in victim environments. Once established, GootKit can be used for follow-on exploitation, including deployment of ransomware and tools such as Cobalt Strike.

GootKit is closely associated with the GootLoader delivery ecosystem. Multiple sources in the content distinguish GootLoader from GootKit while noting that GootLoader historically delivered GootKit and continues to use trojanized SEO/SEO-poisoning techniques and compromised websites to lure victims into executing obfuscated JavaScript downloaders. In observed chains, GootLoader infections involved ZIP archives containing JavaScript, persistence via scheduled tasks or registry/PowerShell mechanisms, and later-stage activity consistent with GootKit delivery. The content also notes GootKit/Jasper infection chains, including a September 26 variant in which the third-stage payload was swapped for FTCODE ransomware.

Distribution methods mentioned for GootKit include malicious SEO, trojanized search results, spam botnets such as Cutwail, exploit kits including RIG and Nebula, and delivery by other malware families or loaders such as Emotet, BrushaLoader, and Storm-0324 campaigns. Storm-0324 is specifically noted as having distributed GootKit among other first-stage payloads since at least 2016. Proofpoint content also lists GootKit among payloads delivered by TA547, and Emotet was observed delivering GootKit as a third-party payload.

The malware is associated with e-banking fraud activity and has been described as an e-banking Trojan. The content further notes that banking malware such as GootKit has used HVNC-style capabilities for banking fraud. One source places GootKit activity in Canada in BrushaLoader-related observations. Another notes that Red Canary historically saw GootKit as a frequent top-10 threat before it temporarily disappeared from their March view.

High-confidence behavioral details directly stated in the content include banking credential theft, information stealing, RAT functionality, persistence, and use as a platform for additional payload deployment including ransomware and Cobalt Strike. No single authoritative IOC set for GootKit itself is provided in the content, though related delivery chains reference artifacts such as obfuscated JavaScript stages, scheduled tasks, registry persistence, and malware detections including Trojan:Win32/Gootkit and JS/Gootkit-AW.

Reported operators

Threat actors

2 named in public reporting
TA547

Delivered malware included ZLoader (a.k.a. Terdot), Gootkit, Ursnif, Corebot, Panda Banker, Atmos, Mazar Bot, and Red Alert Android malware.

Storm-0324

Storm-0324 has distributed a range of first-stage payloads since at least 2016, including: ... Gootkit, a banking trojan

MITRE ATT&CK

GootKit in ATT&CK

21 distinct techniques

Reporting

Research mentioning GootKit

Jan 19
Rescana

GootLoader Malware Exploits Windows ZIP Handling with 1,000-Part Nested Archives to Evade Detection

The loader is commonly used to deliver ransomware, Cobalt Strike, Gootkit, Osiris, and Sodinokibi payloads.

Jan 1
Sophos Threat Research

“Gootloader” expands its payload delivery options | SOPHOS

The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft.

Jan 1
Sophos Threat Research

Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign | SOPHOS

If the malware remains undetected on the victim’s machine, it makes way for a second-stage payload known as GootKit, which is a highly evasive info stealer and remote access Trojan (RAT) used to establish a persistent foothold in the victim’s network environment. GootKit can be used to deploy ransomware or other tools, including Cobalt Strike, for follow-on exploitation.

Jan 1
Sophos Threat Research

Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign | SOPHOS

GootKit, which is a highly evasive info stealer and remote access Trojan (RAT) used to establish a persistent foothold in the victim’s network environment. GootKit can be used to deploy ransomware or other tools, including Cobalt Strike, for follow-on exploitation.

Oct 23
Thecyberwire

Vanilla Tempest: The Threat Actor Behind Recent Hospital Ransomware Attacks

"GootKit is a banking Trojan, and GootLoader did initially load GootKit..."

Sep 12
Microsoft General

Malware distributor Storm-0324 facilitates ransomware access | Microsoft Security Blog

Storm-0324 has distributed a range of first-stage payloads since at least 2016, including: ... Gootkit, a banking trojan

Apr 21
Red Canary

Intelligence Insights: April 2022

Gootkit, another typical top 10 mainstay, disappeared entirely from our view in March. Gootkit relies on trojanized search engine optimization (SEO) social engineering techniques, similar to Yellow Cockatoo.

Oct 2
Dissecting Malware

Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)

Another Version of the Gootkit/Jasper combo surfaced on September 26th when they swapped out the 3rd stage payload with FTCODE.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.