Posted: April 29, 2019

Gootkit Description

Gootkit is a spyware program and banking Trojan that can exfiltrate your information or hijack your bank account. Its campaigns depend on corrupted e-mail attachments and links for circulating and include ongoing updates that focus on sophisticated anti-detection mechanisms. Since there are minimal symptoms of infections, victims should have anti-malware programs available for blocking or removing Gootkit, and re-secure their accounts and credentials afterward.

A Trojan Delivery in Extra-Fancy Packaging

The four-year-old Gootkit is a mostly-normal example of a banking Trojan with additional spyware properties in its payload, with campaigns running throughout Europe – such as Italy – and other areas. It can terminate processes at will, collect sensitive information like passwords, intercept or maliciously modify your Internet communications for hijacking bank accounts, or collect encryption credentials from tokens and removable drives. However, malware analysts are finding that it offers somewhat more exceptional meat to bite into its defenses.

Besides these privacy-demolishing attacks, recent versions of Gootkit show advancements in both maintaining itself in a protected environment and keeping security solutions from doing anything about it. The highlights include:

  • Packing provides Gootkit with some protection versus static threat-detecting rulesets.
  • Gootkit uses a sub-category of memory injection, process hollowing, for running inside of another memory process. Since the 'host' process isn't threatening, this configuration can let Gootkit circumvent various detection metrics.
  • Gootkit uses a 'Heaven's Gate' exploit for anti-debugging.
  • The Trojan also uses several string checks and other flags for determining whether it's in a virtual environment, in which case, it hibernates in an infinite loop.
  • Gootkit's last trick is a combination of Registry triggers and a same-named 'INF' file that gives it an auto-launching capability upon reboot. Malware experts are emphasizing this feature for its absence in all similar threats, banking Trojans and otherwise, to date.

Simple Resolutions against Complex Threats

Gootkit is a modest cornucopia of useful and innovative techniques for the cyber-security industry's further analysis. These features, however, do little about changing how it behaves against its victims, which typically are business sector workers. Its infection methods are using, as one, particularly prominent example, e-mail spam that's pretending that it's a failed delivery notification from a shipping service. The template includes well-designed social engineering components, such as the company's logo and native-fluency language.

Victims of Gootkit infections should operate under the assumption that passwords and similar credentials, as well as their bank accounts, are available for a remote attacker's misuse. They can take privacy re-securing steps such as changing their security information and contacting their bank after removing the threat from their computer. Be sure of running the most up-to-date version of your anti-malware solution's database before using it for deleting Gootkit, which may require other steps for blocking its auto-starting routine – for example, rebooting into Safe Mode.

Gootkit is a for-profit enterprise, rather than a state-sponsored one, but its code shows similar signs of leaps in tactical cleverness. Users who don't click on unexpected e-mail attachments will be far safer than anyone hoping that they'll identify a threat like this Trojan after the fact.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Gootkit may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Related Posts

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.