Delivered malware included ZLoader (a.k.a. Terdot), Gootkit, Ursnif, Corebot, Panda Banker, Atmos, Mazar Bot, and Red Alert Android malware.
GootKit
GootKit is a mature banking Trojan that has been active for more than half a decade and is centered on banking credential theft.
Profile source: Mallory opens in a new tabGootKit
Family profile
GootKit is a mature banking Trojan that has been active for more than half a decade and is centered on banking credential theft. The content also describes it as a highly evasive information stealer and remote access Trojan (RAT) used to establish a persistent foothold in victim environments. Once established, GootKit can be used for follow-on exploitation, including deployment of ransomware and tools such as Cobalt Strike.
GootKit is closely associated with the GootLoader delivery ecosystem. Multiple sources in the content distinguish GootLoader from GootKit while noting that GootLoader historically delivered GootKit and continues to use trojanized SEO/SEO-poisoning techniques and compromised websites to lure victims into executing obfuscated JavaScript downloaders. In observed chains, GootLoader infections involved ZIP archives containing JavaScript, persistence via scheduled tasks or registry/PowerShell mechanisms, and later-stage activity consistent with GootKit delivery. The content also notes GootKit/Jasper infection chains, including a September 26 variant in which the third-stage payload was swapped for FTCODE ransomware.
Distribution methods mentioned for GootKit include malicious SEO, trojanized search results, spam botnets such as Cutwail, exploit kits including RIG and Nebula, and delivery by other malware families or loaders such as Emotet, BrushaLoader, and Storm-0324 campaigns. Storm-0324 is specifically noted as having distributed GootKit among other first-stage payloads since at least 2016. Proofpoint content also lists GootKit among payloads delivered by TA547, and Emotet was observed delivering GootKit as a third-party payload.
The malware is associated with e-banking fraud activity and has been described as an e-banking Trojan. The content further notes that banking malware such as GootKit has used HVNC-style capabilities for banking fraud. One source places GootKit activity in Canada in BrushaLoader-related observations. Another notes that Red Canary historically saw GootKit as a frequent top-10 threat before it temporarily disappeared from their March view.
High-confidence behavioral details directly stated in the content include banking credential theft, information stealing, RAT functionality, persistence, and use as a platform for additional payload deployment including ransomware and Cobalt Strike. No single authoritative IOC set for GootKit itself is provided in the content, though related delivery chains reference artifacts such as obfuscated JavaScript stages, scheduled tasks, registry persistence, and malware detections including Trojan:Win32/Gootkit and JS/Gootkit-AW.
Reported operators
Threat actors
2 named in public reportingStorm-0324 has distributed a range of first-stage payloads since at least 2016, including: ... Gootkit, a banking trojan
MITRE ATT&CK
GootKit in ATT&CK
21 distinct techniquesTechniques
21 techniquesReporting
Research mentioning GootKit
GootLoader Malware Exploits Windows ZIP Handling with 1,000-Part Nested Archives to Evade Detection
The loader is commonly used to deliver ransomware, Cobalt Strike, Gootkit, Osiris, and Sodinokibi payloads.
“Gootloader” expands its payload delivery options | SOPHOS
The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft.
Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign | SOPHOS
If the malware remains undetected on the victim’s machine, it makes way for a second-stage payload known as GootKit, which is a highly evasive info stealer and remote access Trojan (RAT) used to establish a persistent foothold in the victim’s network environment. GootKit can be used to deploy ransomware or other tools, including Cobalt Strike, for follow-on exploitation.
Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign | SOPHOS
GootKit, which is a highly evasive info stealer and remote access Trojan (RAT) used to establish a persistent foothold in the victim’s network environment. GootKit can be used to deploy ransomware or other tools, including Cobalt Strike, for follow-on exploitation.
Vanilla Tempest: The Threat Actor Behind Recent Hospital Ransomware Attacks
"GootKit is a banking Trojan, and GootLoader did initially load GootKit..."
Malware distributor Storm-0324 facilitates ransomware access | Microsoft Security Blog
Storm-0324 has distributed a range of first-stage payloads since at least 2016, including: ... Gootkit, a banking trojan
Intelligence Insights: April 2022
Gootkit, another typical top 10 mainstay, disappeared entirely from our view in March. Gootkit relies on trojanized search engine optimization (SEO) social engineering techniques, similar to Yellow Cockatoo.
Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)
Another Version of the Gootkit/Jasper combo surfaced on September 26th when they swapped out the 3rd stage payload with FTCODE.