A report by Malwarebytes’ research team has unveiled a wave of attacks targeting Germany using a banking trojan named Gootkit. Gootkit’s initial loader is an obfuscated Javascript with the functionality to download additional code from remote addresses using HTTP.
The whole attack chain except the initial JS file is executed in-memory (meaning it resides in memory or in the registry). Malwarebytes reports that in some cases Gootkit’s final payload is REvil ransomware.
Minerva labs has stopped Gootkit at one of our clients. The sample we encountered loaded its malicious code inside an environment variable, which is loaded via powershell:
IOCs:
Hashes:
6ee76de5123826003af8509e85efd6560f447b295d54a93d3f5f3deac8ccb7d4 (Initial Javascript loader)
C2 Adress:
www.alona.org[.]cy