On January 19, 2018, Juniper Threat Labs detected a Gootkit banking trojan at one of our customers sites. The file was hosted on a compromised golfing site, namely “carolinalakesgc[.]com”.
The specific urls where this malware where hosted are:
The threat actor was also able to upload several variations of the malware (different packers) on this compromised host for several days. This then allowed them to modify characteristics of the malware in order to avoid detection.
We observed that the threat actors were also active during this time, as they compromised another site to host this banking trojan.
This malware uses some unique anti-analysis and anti-sandboxing tricks. It also employs a new persistence method taking advantage of the Pending GPO feature. The malware spawns a suspended mstsc.exe (Remote Desktop Process) and injects itself into it. Before installing itself into the system, it performs several checks related to sandboxes and tools associated with malware analysis.
Anti-Sandbox, Anti-Analysis and More
Decrypt Strings at Runtime
After the sample is unpacked, strings of the sample are not visible to the analyst. Strings are still encrypted during runtime, which means even after dumping the process from the memory, strings are still encrypted. The analyst would have to debug or have a comprehensive API log or manually decrypt the strings. This would prevent some tools such as “memory dumpers” from identifying interesting strings.
Aside from this, the decryption routine uses “dummy APIs,” which don’t do anything. This technique could affect the output of sandboxes with API logging tools either by performance or analysis of the API logs. Below is a sample of how it decrypts the runtime.
Below are the list of dummy APIs that this variant used, many of which are in the USER32.dll library.
Process Hash Checking
To make it even harder for the analyst to figure out which processes it needs to check before installing, it uses CRC32 to hash the process name and compare it with the following hardcoded CRC32 hashes. If there is a match on any of the hashes, the malware will not install.
It checks if the data is in the registry key “HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString” has word “Xeon”
It checks if the following sandbox or debugging dlls are loaded:
It checks if the username is as follows:
It checks if the computer name is:
It checks if the registry entry “HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System” contains any of the following strings:
- “INTEL – 6040000”
It checks if the registry key
“HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\VideoBiosVersion” has the word “VirtualBox” in the data.
It also checks if the data in the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SystemBiosVersion has any of the following values:
- “55274-640-2673064-23950” – associated with JoeBox
- “76487-644-3177037-23510” – associated with CWSandbox
- “76487-337-8429955-22614” – associated with CWSandbox
One noticeable characteristic of Gootkit is its use of environment variables, which act as a mini-config for the malware. The malware sets the following environment variables with these corresponding values:
standalonemtm = true
vendor_id = exe_scheduler_1235
Mainprocessoverride = svchost.exe
RandomListenPortBase = 6000
Interestingly, if it is found that the environment variable “crackmeololo” is set, it will skip all of the anti-sandbox and anti-analysis checks.
New Persistence Method
This Gootkit loader uses a unique persistence method that we haven’t seen on any other malware in the past. It takes advantage of using Pending GPO (Group Policy Object) to start on the next reboot.
First, it drops a copy of itself as %APPDATA%\Microsoft\Internet Explorer\mounper.exe. It also creates a file %APPDATA%\Microsoft\Internet Explorer\mounper.inf, which contains the following:
The .INF controls the execution of mounper.exe, similar to the autorun.inf seen on USB worms.
After dropping the necessary files, it creates the following registry. This, in effect, will trigger mounper.inf, which will execute mounper.exe on the next reboot.
After it passes all of the anti-sandbox checks, it communicates to the hardcoded CnC servers below via TCP port 80.
Communication to its CnC server is encrypted. Below is a snippet of the communication between the malware and the server.
The final payload is downloaded from the same CnC server and directly injected into a spawned svchost.exe. It also did a little fileless trick as it saves the final payload as an encrypted binary blob in the registry. The Gootkit main module is a dll injected to svchost.exe. It is a pretty large malware with lots of features.
It sets up a proxy that listens on port 6000 and redirects HTTP (port 80) and HTTPS (port 433) on the infected system. This allows the malware to have a man-in-the-browser capability that can steal your usernames and/or passwords on websites that you visit.
Unlike the loader which is heavily obfuscated, the payload strings are visible. We can easily spot some of its modules, such as Spyware module, “src_iedriver\\SpywareJSWrappers.cc”. This module has the following functions, which are indication of its capabilities such as injecting to the browser, taking screenshots, keylogging, downloading and executing other files.
Below are some of the other modules/functions you can find inside this malware. Among these are spyware, VM detection, browser injection, stealing credentials from FTP and MAIL clients/programs.
Indicators of Compromise
Juniper products detected this malware as follows: