According to the research report published by a security firm, a most destructive GootKit Banking Trojan has received a massive update. The recent update modifies the working principles of this nasty malware. GootKit Banking Trojan is one of the infamous virus which appeared in the year 2014. As compare to other threat belonging to the same malware family, the source code of this banking Trojan had never leaked online, nor it has been distributed through Malware-as-a-service technique. The malware has been especially designed by the highly-skilled cyber offenders that has taken a full control on when and whom the GootKit Banking Trojan targets. Although, it is mainly focused to target the customers of European banks only.
Usually, most of the other banking Trojans targets the regular clients of the bank, but in the case of GootKit Banking Trojan, it specifically infect the high-end business customers with the main objective of compromising the bigger accounts for stealing larger sum of money from the hacked accounts. In order to gather banking credentials from the victims system, the malware uses a regular web injects which changes the look of banking sites into the browser of affected computers. However, one of the most important thing that one should know that the operators of GootKit Banking Trojan malware regularly updating its source code which helps the threat to remain undetected by the anti-virus vendors.
GootKit Banking Trojan : Now Using Scheduled Tasks & Hides in SVCHOST Process
Meanwhile, there are some professional banking Trojan malware which receives such kind of attention, and the GootKit Banking Trojan is one of them. A firm related to the cyber security detected a huge number of updates into the source code and mode of operation of this malware, which makes the anti-virus detection quite harder. First of all, the malware updates its installation method and instead modifying the registry entries, it uses scheduled tasks which run at the background every time and being capable of running with both administrator accounts and LUA (Least-privilege User Accounts). Besides, the updated version of GootKit Banking Trojan is capable of injecting malicious DLL files into the “svchost.exe” process.
Check Multiple Times For VM Environments
One of the biggest change that was made to the working operation of GootKit Banking Trojan is the addition of VN checks. This is a feature that many cyber offenders had been adding to their malwares. VM checks are the operations used by the hackers through which the Trojan checks the environment variables for some common names associated with virtual systems. Although, this feature has been usually employed by the anti-virus softwares and security experts for reverse engineering. The malware uses two-stage VM checking procedure. Furthermore, based on the research report, the Trojan especially targets the banks in UK and France. Besides, there are also few banks in Span and Italy that are affected by GootKit Banking Trojan.