Discovered in the wild in the summer of 2014, GootKit is believed to be
a privately held cybercrime tool that is not sold to other criminals in
underground forums and is operated by a closed gang. Considering its
stealth, data theft and browser manipulation capabilities, GootKit is
one of the most advanced banking Trojans active nowadays. It is used in
online banking fraud attacks that target consumer and business bank
accounts primarily located in Europe.
In online banking fraud attacks witnessed throughout 2016, GootKit’s
masters leverage this malware’s capabilities to infiltrate the endpoints
of retail and business banking customers, steal their personal
authentication credentials and manipulate their online banking sessions
with social engineering. They eventually take over those accounts and
transfer cash to mule accounts they control.
Beyond its overall modus operandi, GootKit is a malware project that
implements stealth and persistency alongside real-time, web-based
activities like dynamic webinjections, which modify the banking website
as rendered in the infected machine’s browser. Since it is operated by
one gang, GootKit is believed to have its own in-house developers
focused on evolving its stealth mechanisms, security evasion techniques
and fraud capabilities.