Figure 1: Angler EK dropping Gootkit (2014-09-23)
Figure 2: Bedep dropping Gootkit (2014-12-10)
Gootkit has been observed targeting credentials for customers of a range of French financial institutions, including Crédit Mutuel, BNP Paribas, Le Crédit Lyonnais, Crédit Agricole, Société Générale, BTP Banque, and Crédit Coopératif. In March 2015, this distribution expanded to include customers of French and Italian banks through spam campaigns  that are still ongoing.
Here is an example of an email and accompanying Word doc used to deliver Gootkit to Italian targets in December of 2015.
Figure 3: Email used to deliver Gootkit (2015-12-14)
Figure 4: Word document used to deliver Gootkit (2015-12-14)
This expansion continued in late October, as Proofpoint researchers observed Gootkit being dropped by Angler EK through multiple infection paths in Canada. Since 2015-11-26, Gootkit has also been seen dropped in Great Britain via Angler EK at the end of a malvertising infection chain.
Figure 5: Gootkit dropped by Angler EK in Great Britain at the end of a Malvertising chain (2015-12-13)
Figure 6: Snippet of UK-focused injects tied to sample 58aeefd4700af5cb1db1f5603025a5ec
Configs from the UK-focused injects (Fig. 6) show that these latest payloads are attempting to capture information from customers of a range of financial institutions that are based or operate in the UK, including Paypal, Santander, Natwest, Ulster Bank, Royal Bank of Scotland, and Barclays.
This expanded targeting follows a trend we have observed in recent months, as threat actors seek to reach new victims by shifting their distribution to new regions and verticals. With Gootkit finally crossing the Channel it would not be surprising to see it in other regions in the near future, as well as to see other malware with limited geographic presence (such as Shifu) jump on this trend.
 Analyzing Gootkit's persistence mechanism (new ASEP inside!) - 2015-04-13 - CERTSG - http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html
 Win32/Xswkit (alias Gootkit) - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669
 Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority - 2015-03-30 - http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/
 “Hey Brian, Heya Homer, fancy meeting you here!” – Zeus Gootkit, 2014 AD - 2014-08-07 - CertLexsi https://www.lexsi.com/securityhub/hey-brian-heya-homer-fancy-meeting-you-here-zeus-gootkit-2014-ad/?lang=en
Indicators of Compromise (IOC’s)
6195950991475ec363f53b2c570469512b8e4a1995db73056cff39251c211dff - 2015-08-26 - CAN
a24c9996913ecbe2af183e5ac3d176f869ed62e15a31deb2dc2ea947900432c3 - 2015-11-26 - GBR
cb55bd4ee66ee8fcbda9f0f15192406bb1d089bc72a0f121395fafc8e04cb0e8 - 2015-12-02 - CAN
532bd85487ce3c16654d21c6425f6f728430d50e47e802b332ea82ae0511adca - 2015-12-13 - GBR
3922F2317BE8D0420F1DC938A633B3243D938FC0098A528D70B89C2D2F080C5C - 2015-12-21 - ITA
C2 server addresses:
swysocki77.com - 188.8.131.52
robertpouslen12494.pw - 184.108.40.206
domolor.com - 220.127.116.11
babosikimne.com - 18.104.22.168
babosikidai.com - 22.214.171.124
vaillantsawer.com - 126.96.36.199 188.8.131.52
abc.doitgraphic.org - 184.108.40.206
ET Open and Pro rules:
2022257 || ET TROJAN Possible Gootkit CnC SSL Cert M5
2022256 || ET TROJAN Possible Gootkit CnC SSL Cert M4
2022255 || ET TROJAN Possible Gootkit CnC SSL Cert M3
2022253 || ET TROJAN Possible Gootkit CnC SSL Cert M1
2019907 || ET CURRENT_EVENTS Gootkit SSL Cert Dec 10 2014
2022259 || ET TROJAN Possible Gootkit CnC SSL Cert M7
Subscribe to the Proofpoint Blog