A campaign of redirection attacks – targeted at major European banks – has been observed recently, involving the GootKit malware. After an initial test phase targeting some British banks, customers from some Spanish, Italian and French bank institutes are hit actually by the malware campaign.
GootKit malware, already known since 2010, has changed its “modus operandi” over the years by introducing new and increasingly evolving attack techniques. Malware is handed over to victims via spam/phishing messages, that would deliver a first-stage object called dropper – since it would download genuine malware when activated, effectively infecting the target system.
The peculiarity of the latest attack technique, called redirection, resides in gaining full control over the victim browser client to divert browsing toward attacker-controlled webpages: when the victim tries to visit a bank web portal, he is redirected to a forged, identical ad-hoc page, thus allowing the attacker to get the inserted credentials. Redirection attacks could be considered the “evolution” of web injection attacks, resulting in the complete hijacking of the victim’s web browsing.
At the moment, names of the involved Italian banks are not publicly known, as no sample of the second stage is currently available (the actual malware).
Lutech Cyber Threat Intelligence team has performed a detailed analysis on a dropper sample, thus identifying some call-back domain markers (IoC) – we estimate those objects as C&C systems, used by attackers to delivery a malicious code and trace infection activities.
Enlisted domains/URLs are:
Our team is following the security scenario evolutions, with the intent to seek and retrieve a proper malware sample to be used in further analysis, obtaining more information on the impacted Italian bank institutes and technical details accordingly.
Lutech Cyber Threat Intelligence Team