<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=179060&amp;fmt=gif">

Minerva Labs Blog

News & Reports

Minerva Labs Stops An Attack By Gootkit Banking Trojan

A report by Malwarebytes' research team has unveiled a wave of attacks targeting Germany using a banking trojan named Gootkit.  Gootkit’s initial loader is an obfuscated Javascript with the functionality to download additional code from remote addresses using HTTP.
The whole attack chain except the initial JS file is executed in-memory (meaning it resides in memory or in the registry). Malwarebytes reports that in some cases Gootkit’s final payload is REvil ransomware.

Minerva labs has stopped Gootkit at one of our clients. The sample we encountered loaded its malicious code inside an environment variable, which is loaded via powershell:

 

The malicious process tree as seen in Minerva’s Platform:

IOCs:

Hashes:

6ee76de5123826003af8509e85efd6560f447b295d54a93d3f5f3deac8ccb7d4 (Initial Javascript loader)

C2 Adress:

www.badminton-dillenburg[.]de

www.aperosaintmartin[.]com

www.alona.org[.]cy



Stay Informed

Sign up for the Minerva newsletter and stay on top of the latest cybersecurity news.

Topics

see all