The invisible enemy

Internet connection problems, inexplicable drops in performance, or the email server is on a blacklist - since the fourth quarter of 2020, there have been an increasing number of cases of German users of Windows computers reporting unspecific anomalies. Gootkit, a well-known banking Trojan, is back and is targeting German users in particular.

In most cases, victims do not notice that their computers have been compromised until, in the best case, they receive a message via their Internet service provider that one of their devices is communicating with a botnet. The checks made by the user afterwards using antivirus programs mostly show no infection, so the perplexity is great.

Gootkit is a banking Trojan that has been known since 2014. It has numerous malicious features to steal information from its victims' computers. This includes a keylogger functionality as well as the ability to record video of the screen or even remote access for the attackers.

In some cases, additional unwanted forwarding schemes were set up in email inboxes to drain them for subsequent phishing campaigns, for example. After a one-year hiatus, this Trojan is back with a new disguise.

The further development of this Trojan allows for a fileless existence on its victim's computer after gaining persistence. Thus, it does not exist as an independent file on the hard drive, but acts only in the main memory. In order to survive a computer restart, its obfuscated code is located in varying keys of the Windows registry. Thus, the Trojan manages to successfully hide itself from some intrusion prevention solutions and antivirus programs.

In the current wave of threats, criminals abuse third-party web servers with security vulnerabilities to display fake forum posts specifically tailored to their concerns to potential visitors via SEO poisoning. As a result, during an Internet search, especially for templates and patterns, the victim encounters a dynamically created, helpful-sounding forum post containing a file with the appropriate template for download. Here, one may notice that this file has the victim's search terms in the file name in order to sound attractive and unsuspicious.

Think actively

If this file is downloaded and then executed, the infection takes its course. The JavaScript program contained in the file connects to its command & control server unnoticed and downloads another script that contains the actual malware. In most cases, it is the fileless variant of the Gootkit Trojan.

However, in some cases, distribution of a variant of the REvil ransomware, which is also fileless, has been observed. REvil, also known as Sodinokibi, is distributed as Ransomware as a Service (RaaS) and belongs to the group of encryption Trojans with additional extortion through data leakage and disclosure.

If a computer has been infected with such fileless malware, professional help should be sought immediately to assess the extent of the damage and the effects of the malware. This is the only way to implement the correct cleanup measures afterwards.

In order to prevent an infection from occurring in the first place, the user must think actively. Can the origin and plausibility of an e-mail attachment or download be determined beyond doubt? If you are not sure, the general rule is: Move the mouse pointer away from the file!