Botnet C&CGootkit
Description
Gootkit, also known as Waldek, is a malware bot primarily used to steal user credentials for use in financial fraud. It will steal user information such as banking information and credit card numbers and return that information back to its controllers.
Symptoms
Some possible symptoms include, but are not limited to:
- Creation of an autorun entry in the Windows registry to ensure it runs on startup
- Connections to known C&C IPs or a spike in Peer-to-Peer traffic, which may indicate Gootkit attempting to retrieve additional commands or instructions
- Creation and deletion of a new copy of the malware on a regular basis
Analysis
Gootkit is a Javascript based malware bot that is designed to steal financial credentials. It has the ability to inject code into webpages, copy keystrokes, taking screenshots or clips and sends this information back via email to its master.
Gootkit will rewrite itself using a unique file name on a regular basis and delete the previous version in the hopes of evading detection by antivirus software.
Instructions
It is not recommended that any attempts to remove this malware be performed manually. Fortinet recommends that you remove this threat by running a complete scan of your system using FortiClient Endpoint Protection.
