Banking Trojan tests new attack techniques against high-profile targets

Major banks targeted as hackers employ redirection attacks against the financial sector.
Written by Danny Palmer, Senior Writer

One of the world's most widespread forms of banking malware has taken on a more advanced form attack in order to dupe victims of some of most high-profile banks in the world into giving financial details and login credentials.

Gootkit has been operating since at least summer 2014 and the banking malware is regarded by cybersecurity researchers as one of the more advanced financial Trojans active in the wild.

And now researchers at IBM X-Force have detailed how it has followed in the footsteps of the likes of Dridex and Trickbot by using a redirection attack scheme which is targeting business banking web applications.

The malware is working towards the same goal it always has - theft. But rather than using web injection attacks to control and modify what the infected user's device will show when they're online banking, hackers dupe victims into visiting a website that looks exactly like that of their bank - with what looks like the correct URL and security certificates - but it's a false version of the website designed to steal credentials.

Gootkit knows which false website to use by monitoring the victim to determine which bank they're using and then redirect the victim to a fake version of that bank's online site.

Redirection in this way works for hackers in two days; firstly, they've hijacked the victim before they've even got to the actual banking site and the additional security measures it might carry. Then secondly, information security staff at banks won't see any suspicious behaviour or holes in their own website because they're not there - the criminals are using a different website entirely.

GootKit's first targets in this new redirection scheme are UK banks, specifically targeting the web applications of four major banks in a similar way to how Trickbot recently did and campaigns including Dyre and Dridex have done so previously.

But why are cybercriminals choosing the UK as the testing bed to carry out new Trojan malware distribution ? It's because UK banking security is likely held in high regard by cybercriminals, which means if they can successfully hack targets in the UK, they can easily use the same tactics across the globe - especially in areas which much less robust infrastructure.

"Because the UK is considered to be an advanced threat protection geography, it is where we encounter the elite gangs with the more advanced capabilities," said Limor Kessem, executive security advisor at IBM and author of the blog post.

Gootkit is thought to be the work of a small Russian-speaking gang but one which is a well-resourced, highly organised, professional outfit.


Editorial standards