Fraud

Gootkit – in some places also referred to as Xswkit – is a banking malware written almost entirely in javascript. In this blog post we will go through on reverse engineering the malware to an extent where we are able to decrypt its webinject configuration file. That’s being said, the file which contains further instructions about its targets and about how to attack them.

Gootkit comes to an infected machine by a relatively small loader – a Windows executable – which after performing virtual machine detection will download the Node.js engine bound with malware code. This part of the malware is quite heavy, almost reaches 5Mb in size. The javascript code inside is well hidden and encrypted with RC4 algorithm. So let’s kick off the analysis with one of these loader samples (MD5 b29089669c444cbdb62d89bf0e3c9ef8).

After successfully unpacking we should be standing at the original entry point at address 4040C7:

Next what we spot is an Aplib decompression routine. Note the magic header check of the DWORD ‘AP32’ in little-endian order:

Placing a breakpoint at this address and dumping the content of the decompressed buffer, we find another tiny embedded executable which later on will be injected into explorer.exe. This binary indeed contains suspicious strings regarding to VM detection:

Interesting fact about this, that it can be controlled by an environment variable. The malware authors must have reserved this feature for themselves for testing purposes but we can benefit from it too:

What we see here is checking the presence of the environment variable “crackme”, then a checksum of its value is calculated and if it matches a certain value it would skip VM detection. The checksum is a variant of the well known CRC32 algorithm. It did not take long to crack it, ‘aHzkxc’ is a value that Gootkit gladly accepts.

The malware uses hardcoded User-Agent which is checked by the C&C server. The URLs where further payloads are downloaded from:

  • hxxps://lovemeating.space:80/rbody320 (its purpose is not yet known)
  • hxxps://lovemeating.space:80/rpersist2/56080258 (may be persistence module)
  • hxxps://lovemeating.space:80/rbody32 (core)

It uses HTTPS connection over port 80 to communicate. These payloads are decompressed with the API RtlDecompressBuffer.

Next we turn our attention on the decompressed DLL ‘rbody32’ (MD5 d17f99eab2d8c6f3eb7b7f25b7631976) which is around 5Mb! in size, due to being linked with the Node.js engine. We can observe various references to somethings that look like embedded javascript files:

These records contain offset and size information about each individual script file. You can find the complete list of the embedded script files below in the table. Their names give us a pretty good guess about what each one does:

addressparser.js
assert.js
buffer.js
certgen.js
chardet.js
child_process.js
clienthttp.js
client_proto_cmdterm.js
client_proto_fs.js
client_proto_ping.js
client_proto_registration.js
client_proto_socks.js
client_proto_spyware.js
cluster.js
config_processor.js
console.js
constants.js
crypto.js
dgram.js
dns.js
domain.js
encoding.js
events.js
FastBufferList.js
freelist.js
fs.js
generate_function.js
generate_object_property.js
gootkit_crypt.js
http.js
https.js
http_injection_stream.js
imap_client.js
inconvlite.js
internalapi.js
keep_alive_agent.js
line_reader.js
mailparser.js
mail_spyware.js
malware.js
meta_fs.js
mime.js
mimelib.js
module.js
net.js
node.js
os.js
packet.js
path.js
pop3_client.js
protobuf_compile.js
protobuf_encodings.js
protobuf_schema.js
protobuf_schema_parse.js
protobuf_schema_stringify.js
protobuf_schema_tokenize.js
protocol_buffers.js
punycode.js
querystring.js
readline.js
repl.js
saved_creds.js
sax.js
signed_varint.js
smalloc.js
spyware.js
sqlite3.js
starttls.js
stream.js
streams.js
string_decoder.js
suspend.js
sys.js
tar_stream.js
timers.js
tls.js
tracing.js
tty.js
tunnel.js
url.js
utf7.js
util.js
utils.js
uue.js
varint.js
vm.js
vmx_detection.js
windows.js
xz.js
zeusmask.js
zlib.js
_http_agent.js
_http_client.js
_http_common.js
_http_incoming.js
_http_outgoing.js
_http_server.js
_linklist.js
_stream_duplex.js
_stream_passthrough.js
_stream_readable.js
_stream_transform.js
_stream_writable.js
_tls_common.js
_tls_legacy.js
_tls_wrap.js


As a courtesy, you can download these files from GitHub.

One thing to note is that in these scripts we can often find function calls that are OS dependent and do not form part of the native Node.js engine, such like Windows registry manipulation, process injection, or hooking which is vital for a today’s banking malware in order to deceive the web-browser. So, those functions have been implemented in C++ and have been exported through an interface, made them available for use in javascript.

Okay, straight to the point. Where are the webinjects stored?

In ‘client_proto_spyware.js’ we can find reference to a registry key:

Checking that registry key we can see encrypted binary content:
Tracking this value in the scripts, we find references to a magical function called ‘encryptDecrypt()’. However we cannot seem to find where it is actually implemented. Of course, remember: some parts of the malware are still implemented in C++. Looking at rbody32 we can spot the decryption routine which turns out to be a rather simple XOR with some division and multiplication:

Here at S21sec we have collected numerous samples of Gootkit, and what we have observed is that the most affected countries of this threat are France and Italy, targeting among others Societe Generale, Banque Populaire, Le Credit Lyonnais, BNP Paribas, BTP Banque, Credit Cooperatif, Inbank, Banca Popolare di Milano, Credito Valtellinese, BPER Gruppo, Credem, 
Instituto Centrale delle Banche Poplari Italiane, Raiffeisen, Banca Poplare di Ancona, Banca Mediolanum, Intensa San Paolo, Banca Comerciala Romana, Chase, SwedBank, …

Reverse engineering Gootkit

Gootkit - in some places also referred to as Xswkit - is a banking malware written almost entirely in javascript. In this blog post we will go through on reverse engineering the malware to an extent where we are able…

Leer más

Mulas

    Yesterday we saw how Europol published a press release announcing the detention of approximately 700 muleteers all over Europe last February. These are key operations as they directly affect monetizing of fraud and require participation by international banks,…

Leer más

If you say so it must be true, or maybe not?

Sometimes there is no need for complex techniques or injections in order to achieve an objective, a little of social engineering is enough for the victim to introduce almost any asked credential, even if this credential is a credit card…

Leer más

S21sec detects almost 7,000 vulnerabilities en 2011

S21sec presents its first ‘Vulnerability Report’ prepared by the Ecrime team integrating the experts of the company in charge of detecting and resolving Internet offences affecting organisations 24 hours a day, 365 days a year. This report gathers the information…

Leer más

Source Seattle 2011

Some days ago, Source Seattle (USA) took place. It is the first time it has taken place in Seattle and although the attendance couldn’t match the Boston conference, the atmosphere was magnificent. It began on Tuesday the 14th with an…

Leer más

Tatanga: a new banking trojan with MitB functions

Recently our e-crime unit has detected a new banking trojan, named as Tatanga, with Man in the Browser (MitB) functions affecting banks in Spain, United Kingdom, Germany and Portugal. Like SpyEye, it can perform automatic transactions, retrieving the mules from…

Leer más

ZeuS Mitmo: Man-in-the-mobile (III)

The application that the user installs in his mobile device is a simple application that will monitor all the incoming SMS and will install a backdoor to receive commands via SMS. We have analyzed the Symbian S60 application, which has…

Leer más