ReaQta has found evidence of an active Gootkit trojan campaign with focus on Italian government institutions. We began tracking the campaign since the end of November 2018 and so far it showed a very low detection rate.

The dissemination strategy focuses on spear-phishing, targeting different government institutions under different subjects, and through real emails addresses, apparently collected from the official websites of the institutions. The sender uses a PEC (certified email) address.
Subjects used:

  • Re: Approvazione ordine del giorno
  • Re: Notificazione ai sensi della legge n. 53 del 1994 e modifiche e integrazioni
  • POSTA CERTIFICATA: Re: AMM:Ministero Economia e Finanze AOO:DSII Protocollo numero:0004592 del 14/02/2018
  • Re: Modello DA2018 Tassone Cosimo

Government institutions targeted:

  • Comune di Sarcedo (comune.sarcedo.vi.it)
  • Comune di Quarto (www.comune.quarto.na.it)
  • Comune di Forino (comune.forino.av.it)
  • Comune di Vicenza (comune.vicenza.it)
  • Comune di Bevilacqua (comune.bevilacqua.vr.it)
  • Comune di Verona (comune.verona.it)
  • Comune di Belfiore (comune.belfiore.vr.it)
  • Comune di Caldiero (comune.caldiero.vr.it)
  • Comune di Bonavigo (comune.bonavigo.vr.it)
  • Comune di Pressana (comune.pressana.vr.it)
  • Comune di Thiene (comune.thiene.vi.it)
  • Comune di Zanè (comune.zane.vi.it)
  • Comune di Terrazzo (comune.terrazzo.vr.it)
  • Comune di Lavagno (comune.lavagno.vr.it)
  • Comune di Sarego (sarego.gov.it)
  • Comune di Zimella (zimella.com)
  • Comune di Minerbe (comune.minerbe.vr.it)
  • Comune di Veronella (comune.veronella.vr.it)
  • Comune di Mezzane di Sotto (comune.mezzane.vr.it)
  • Comune di Boschi Sant’Anna (comune.boschisantanna.vr.it)
  • Comune di Montecchio Precalcino (comune.montecchioprecalcino.vi.it)
  • Comune di Monteforte d´Alpone (comune.montefortedalpone.vr.it)
  • Comune di Albaredo d’Adige (comune.albaredodadige.vr.it)
  • Comune di San Germano dei Berici (comune.sangermanodeiberici.vi.it)
  • Agenzia Entrate Riscossione (agenziaentrateriscossione.gov.it)
  • Dipartimento dell’Amministrazione Generale del Personale e dei Servizi (dag.mef.gov.it)
  • Ordine dei Dottori Commercialisti e degli Esperti Contabili di Locri (dceclocri.it)
  • Regione del Veneto (regione.veneto.it)
Spear-Phishing attaching malicious ZIP file sent on December 5, 2018
Spear-Phishing attaching malicious ZIP file sent on December 5, 2018

The malicious email comes with a ZIP file attached. This compressed file contains two other files nested: a malicious VBS file with zero detection rate (0) and a benign PDF used as lure. We detected the following generic ZIP filenames in-the-wild:

  • Avviso_[random-number].zip
  • Document_[random-number].zip
  • fattura_elettronica___[random-number].zip
  • _Nuovi Fattura elettronica 2018__[random-number].zip

What attracted the attention of ReaQta Threat Intelligence Team was the obfuscation method used in the malicious VBS file and the very low detection of the malicious code involved in the first stage of this attack. We started an investigation line with focus on the analysis of twenty-four (24) malicious files.
Just five (5) samples of the twenty-four analyzed are detected, at the time of analysis (December 3, 2018), by a single antivirus. The remaining files are not detected by the other engines, both static and ML based.

Malicious VBS file showing 0 detections on VirusTotal
Malicious VBS file showing 0 detections on VirusTotal

At the end of the infection process, the malicious VBS files downloads the final payload that are variants of the well-known multi-functional banking Trojan Gootkit. The first and the main focus of the analysis is on the malicious VBS file and the dissemination strategy around it. While the second part is based in the final payload, though we will not go in deep detail as many other researchers and security companies have covered Gootkit at length in the past. In fact this banking Trojan has been active already for many years.

Infection strategy

The malicious VBS files have names in Italian, together with the PDF file that comes with the attachment:

  • PREVENTIVO GIULIANO PORTE CANTINA E BOX 890
  • VETRERIA MARTELLI – 18mq 183
  • Eseguito Bonifico Europeo Unico
  • PREVENTIVO SCHELI STOP SECURITY
  • Conferma Ordine 2041 del 03_03_2018
  • Eseguito Pagamento MAV
  • Eseguito Pagamento RAV
  • Eseguito Pagamento Bollettino  Postale
  • F24 Ordinario
  • INVITO CORSO DI SECONDO LIVELLO
  • TASSE E IMPOSTE 2017
  • Notifica conferma e invio dichiarazione di Marco Monten
  • Richiesta preventivo attrezzatur
  • LETTERA ASSUNZIONE VIALE ANDREA ANGELO LUGLIO
  • Nuovi Fattura elettronica 2018

While Italy has been targeted heavily in the past month by these malicious VBS files, making them a not uncommon occurrence, what was interesting was indeed the change in obfuscation used in this latest campaign, in addition to the incredibly low detection rate.
The following image shows the comparison between a VBS used in the previous campaign (October/November) and the VBS used in the current campaign:

Different obfuscation methods used in malicious VBS files
Different obfuscation methods used in malicious VBS files

The PDF files that accompanies the malicious script are the same in all cases and they refer to a publication of the “Consiglio Nazionale delle Ricerche – Istituto di Biometeorologia” of November 30, 2011.

PDF document attached with the malicious VBS file
PDF document attached with the malicious VBS file

The malicious VBS files we have studied have between 3,537 and 4,253 lines of obfuscated code, used as part of the evasion process. This type of obfuscation used by the current Gootkit campaign is at the base of the unusually low detection rate.

Set of five malicious VBS files analyzed
Set of five malicious VBS files analyzed

The malicious VBS invokes PowerShell that is used to establish a connection to the malicious server that hosts the final payload. The payload is downloaded via GET request. The download happens by using the parameter “/upll?[Random-number]“, and the obtained payload is finally saved in the %TEMP% folder and executed.

Malicious instructions executed via PowerShell
Malicious instructions executed via PowerShell

ReaQta-Hive allows us to reconstruct the aforementioned sequence, clarifying the steps taken during the infection process:

ReaQta-Hive storyline (click to expand)
ReaQta-Hive storyline (click to expand)

As seen in the previous image, the name of the malicious file is “SDWSCSvc.exe“. The purpose of the name is to possibly simulate  “SDWSCSvc.exe” (Windows Security Center Integration), a file that is part of the security software Spybot – Search & Destroy produced by Safer-Networking, in what appears to be a trivial attempt to evade detection by visual scrutiny. But as it can be seen in the IOCs section, the final Gootkit payload changes the filename with each new propagation.
When the payload is executed, it generates an INF file with the same filename, used to control the execution. This activity is typical of one of the most sophisticated banking Trojans: Gootkit.

Gootkit INF file
Gootkit INF file

The string “$CHICAGO$” indicates that the file is valid for all operating systems of the Microsoft family.
It is interesting to show the persistence method through the use of GPO (Group Policy Object) from the system registry. As a persistence method, this technique ensures the malware survival after every reboot.

HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs C:\Users\[USER]\AppData\Local\Temp\SDWSCSvc.inf

Network interactions

The malicious VBS files establishes a connection with different malicious HOSTs. According to the analysis the domains are from Italy and France. The following list is the IP/HOST relationship of this campaign:
IP 194.76.225.11 resolves to:

  • icon.fllimorettinilegnaegiardini.it
  • dcc.fllimorettinilegnaegiardini.it
  • job.hitjob.it

IP 109.230.199.169 resolves to:

  • vps.cibariefoodconsulting.it
  • ricci.bikescout24.fr
  • don.bikescout24.fr
  • drk.fm604.com

IP 176.10.125.81 resolves to:

  • team.hitweb.it
  • latest.hitweb.it

Final words

Malicious scripts are becoming more and more a common currency when it comes to new attacks, in fact we see them as a fundamental part of different attack campaigns, both from cyber crime and sophisticated threat actors, as stated in the campaign targeting Qatar and Turkey and often through LolBINS like in the recent campaign delivering Ursnif.
In this case the very low detection rate shows that it is possible to create a low-detection profile attack with a vector that is well knows to be used in malicious activities. So one should remain alert as even those vectors can be still deliver a malware, such as Gootkit in our case, without being detected.
At ReaQta we are constantly working to improve the detection capabilities and incident management policies that our solution provides, so that our customers can benefit from both A.I. led detection and Proactive Threat Hunting. In cases such as the one just analysed, the fusion of processes based on Artificial Intelligence and dynamic behavioral analysis becomes of fundamental importance to ensure an early detection of new threats.

IOCS:

SHA256 first stage VBS malicious files:
0DC2BA0C0AAC42C4240B54D26C1B28AF5AE0D6AE336EAC61DBB8874BA3919233
2493c2ff8948bdeafc34fe2c1ff8f4ac778b1bfa3981d35d4fecf12042fe7501
2D30304FD7AE2638806732C226B6DE48019049F8C97DE3803BE5A5FBAEB4E873
3016c8b1591729d320a4c7327a5512bf33a9d5e59f3561b8aa361a296896d51b
429BA38CE23CB6FBF8640B9128A6F32E411464884C04BDB2744161D80B6C9AE2
6A33DB31130B121E1B49B3BA1D64BA00BE86654256F4884B8EAE105B9E75052B
6EE0C19CE2C43F18008490B4CB29CDA481AFFDB0628A0882D9AFF3C56D2B9ECC
718e5fef77a491993090f45185abdc03cdddbd2eeea84983d9e0f0695b335c5d
75588CFB3379308D923D0B2B8A0D183678F4D904877C9D21283E5CA7F9C1CD4E
830C88EEC0B3D183CF29E5D2F2E3CF9811B92AF178DDB088BEAB1F2B1B3254E8
93246d67299072432de8b8eacb12964dc4913aebded109e7f8e2a49e51d879bf
AE98915FE897B3E1F17F97EBFBD00ED0C53E1EFE3066C099F9CEE382AFFCE879
B7EB96C30D3A1FB3FDFDAB88613FDCE9A9CC452DEF05F45698D1C148256545C2
D9CF11258FEFE4D6F6768F7FE881FDE736EA44E90963FD417C555778E1FF14FE
E0028557836E42B789CC8E93E933354D3B163054970AC39E5A151FB9E4D8AEE1
E36127E06C7969F324C3D665CCB6574DCCB41CF3D8F7AC2C4AB06C753F00A3CF
E440575D3E368A8C1F4289F4EFD80ACADA8CCEAB1EB1BFC3D6BDAD6B918497BA
E8A24EA2CDE24CB937322DD836ABFD46433DF275F7CAB661B717A35D006429B2
F2724ABA52D3DD6696535BD9E03EEFBCC148F6F5A8E082E897BECC60F6BB09E9
e86af32d867f77fd0eda6bbd19de031a34d721c4ba0401fe7bb8f4500b06552d
f2e0b621686f406e1c0bf66b4a866d94e2cdece41d3cc3f2ea0c6f10fb918369
f5ed0552a71e6be1bb10cd8aed554bd144fd8570bc2d1361ca18b747018459e8
fab2fe2ba6131595df6fb40c7a3435e5a23712934d25828a20428e70ab7ba333
fef31d3b22a8f0c7b0b243aed707fdadf1ddcc78fe3f6d4434f8e0092fa171c0
VBS filenames:
_2016_11_05 PREVENTIVO GIULIANO PORTE CANTINA E BOX 890.vbs
_2016_11_05 PREVENTIVO SCHELI STOP SECURITY 124.vbs
_20170717-Eseguito_Bonifico_Europeo_Unico_0000_1107576.vbs
_20170809-Eseguito_Bonifico_Europeo_Unico_0000_1107547.vbs
_20170912-Eseguito_Bonifico_Europeo_Unico_0000_1107514.vbs
_20180109-Eseguito_Bonifico_Europeo_Unico_0000_1107541.vbs
_20180411-Eseguito_pagamento_Bollettino_Postale_0000_110755 347.vbs
_20180530-Eseguito__pagamento_MAV_0000_1107560.vbs
_20180629-Eseguito_pagamento_Rav_0000_1107543.vbs
_20180730-Eseguito_Bonifico_Europeo_Unico_0000_110755 196.vbs
_20180808-Eseguito_Bonifico_Europeo_Unico_0000_1107549.vbs
_20180831-Eseguito_pagamento_Bollettino_Postale_0000_110755 130.vbs
_20180910-Eseguito_Bonifico_Europeo_Unico_0000_1107536.vbs
_20180915-Eseguito_pagamento_Bollettino_Postale_0000_1107547.vbs
_Conferma Ordine 1083 del 01_08_20166.vbs
_Conferma Ordine 2041 del 03_03_2018 259.vbs
_Conferma Ordine 395 del 17_01_20118.vbs
_Conferma Ordine 8535 del 03_08_2018 165.vbs
_Eseguito_Bonifico_Europeo_Unico_0000_110755 139.vbs
_F24 Ordinario_0000000043602515_20180207-1047552195.vbs
_INVITO CORSO DI SECONDO LIVELLO 283.vbs
_LETTERA ASSUNZIONE VIALE ANDREA ANGELO LUGLIO 2017 18.vbs
_Notifica conferma e invio dichiarazione di Marco Monten50.vbs
_Nuovi Fattura elettronica 2018__45.vbs
_TASSE_E_IMPOSTE_2017_08_230.vbs
_VETRERIA MARTELLI_18mq 182.vbs
_VETRERIA MARTELLI_18mq 183.vbs
Filenames and SHA256 payload dropped:

taskhoste.exe
36285338fbe4f3f19e71de7a7af1f895c8537fd558bbe1974881a81e8ee452f9
5d57177bdf8bf813ce0699873cb9ea02c68fccd66bdce8ee0ce5561fa0c6147a
f45b5de2ccbb38595f630f1b356d5fa0e84f3c1ccc59fbcd1e8e605d08d6084c
SkypeApp64.exe
89e5eca139b66451b120d07d351323e809a427ae32f3e77e71bc5945276923c4
c849ad7db4eebd44692c77cfd7dc0caf4b6ad3611714ccb1549716f6d4b182be
tv_x64x32.exe
3a197cd3f7168168c74aed6b65652034c68e1addf7159aa3b663ce7ca0cf2977
4fae4fb8297a68b710b28b3738530cc57080180d52b76f01be866ea97f6ced08
6e5af2914ced1708448860c111d0cad4d6dcc3a221dee8e09436bddf42430980
8f4858eb6e517bb779aade0364bf1e434109e402241679ed4cb293351afa814c
be2ef8f6841ef4e086ac4cb34d65afaa52641d2ffbb902e1f6394065e262e157
cc64c9567925d29422f5f9086108ab9f8283e86c8be92be99c794049a972829f
e24ae4d40041b2219b6c0c50f9d46560dafbb3718897dbe33bebc6ffa1916d42
SMSvcHost32.exe
1695e30c0a789336aa8ac3c0dffd8be9eec4f620b4b4059a53bee46fb78ee0e3
68662866fbf031a7bea48b77ef8ab308c42c139badf61d33d251dce32d728a77
ed995db3fc430430b633a86a8090adbde28fdecf8b25169da94ca3e2016dd514
jucheckx64.exe
7f61c5c063171754b19a7ba05ab61ab681a0b6d03196179b369c08c074d489e9
B7a116087be47ec0ceaf24a42ae7b0c71c896570ee26614fa8a7249867c7daf1
SDWSCSvc.exe
1e62e03b7378edb981deb3caff73e178f5681e29cd84d576f56605766093cc3b
Malicious HOST/IP:
Amd[.]cibariefoodconsulting[.]it
vps[.]cibariefoodconsulting[.]it
dcc[.]fllimorettinilegnaegiardini[.]it
Icon[.]fllimorettinilegnaegiardini[.]it
don[.]bikescout24[.]fr
Ricci[.]bikescout24[.]fr
Drk[.]fm604[.]com
latest[.]hitweb[.]it
team[.]hitweb[.]it
109.230[.]199.169
185.120[.]144.147
194.76[.]225.11
209.85[.]226.10
User-Agent visualized:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)