Gootkit malware operators left unprotected database in open access

The well-known information security expert Bob Dyachenko found that Gootkit operators left the databases open on servers with MongoDB. The detected databases contained a lot of personal information stolen from users.

MalvarGootkit was first noticed by specialists back in 2014. It used to be a dangerous banking trojan, but over time, the threat has undergone many changes and evolved into something completely different. So, at present, Gootkit focuses more on collecting a huge array of information about infected devices and transfers this data to its control servers.

“It is a very capable and intrusive malware used in online banking fraud attacks that target consumer and business bank accounts primarily located in Europe”, — reports Bob Diachenko.

The malware is aimed at stealing data from various browsers, from Chrome to Internet Explorer. Gootkit can steal your browsing history, passwords and cookies, and can also take screenshots and record everything that users enter inside web forms (this applies not only to passwords, but also to bank card numbers). In addition, the malware collects all possible information about the infected host and the equipment connected to it.

Bob Dyachenko
Bob Dyachenko

Dyachenko discovered that in July 2019, Gootkit operators made a mistake and left their management servers available to everyone for a whole week. It is not reported whether attackers forgot to set passwords, or the firewall protecting the servers unexpectedly failed.Nevertheless, the servers became available, were indexed by various search engines and noticed by the researcher.

MongoDB was running on both servers, and they received data from three Gootkit botnets, which in total united 38,653 infected hosts.

A study of the servers showed that Luhnforms collections contained information about the payment cards of victims. About 15,000 records were found in two databases. Each such record contained information about the site on which the card data was collected, information about the browser and PC, as well as the bank card data itself, stored in unencrypted form.

Read also: Pirate application CotoMovies was closed, with all data of its users has gone to copyright holders

Although the name of the Windowscredentials collections alludes to Windows, it wasn’t what they kept in them. These collections contained credentials from various sites (from Polish ski stores to Envato trading floors, from Bulgarian government agencies to cryptocurrency exchanges) on which users registered an account or logged in. There were 2,385,472 entries in Windows credentials, although Dyachenko believes many of them were duplicates.

Malvar also stole cookies, took screenshots and collected detailed information about the characteristics of the infected computer, including internal and external IP addresses, host name, domain name, processor and memory data, provider name, OS information and installation date, MAC address, browser information and much more.

“In addition to personal and sensitive data collected from the infected machines the database also contained several folders with configuration details which might be of interest for malware researchers and law enforcement authorities”, — claims Bob Diachenko.

Currently, unprotected Gootkit servers have already gone offline, although it is not known whether the attackers noticed an expert invasion or simply completed the next campaign and disconnected the C & C servers after it was completed.

At the end of his report, Dyachenko notes that he has already transferred all the collected data to the hands of law enforcement agencies.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button