Image: ZDNet

The criminal gang behind the Gootkit malware has made the same mistake that thousands of legitimate companies have made before them in the past years -- they left MongoDB databases connected to the internet without a password.

The leak allowed security researcher Bob Diachenko to download all group's data and gain an insight into their operations.

Diachenko shared some of this data exclusively with ZDNet, and this article is a result of weeks of looking into samples of data the Gootkit gang gathered from infected hosts.

What is Gootkit?

Gootkit is the name of a strain of malware. Hereinafter, we'll be using the name Gootkit to refer to both the malware and the criminal group behind it.

The malware was first spotted in the wild in 2014, and it's been evolving ever since. In the beginning, Gootkit functioned as a banking trojan -- all in rage at the time. It would infect victims and would only activate on banking sites, where it would record login details.

It was quite unique for its time, grabbing a few headlines in infosec press due to the presence of a novel "video grabbing module" that recorded a user's activity on banking sites.

However, over the past few years, Gootkit has transformed into a much simpler, but much more dangerous information-stealing trojan.

ZDNet reached out to security researchers from Fox-IT to get an idea of what Gootkit is currently capable. According to researchers, in its current form, Gootkit doesn't focus on e-banking sites anymore.

Instead, the malware focuses on gathering a vast array of information from infected victims, and sending this data to remote servers (like the ones that Diachenko recently discovered).

Nowadays, Gootkit's main functions are focused on stealing data from browsers. It can extract and exfiltrate data such as browsing history, passwords, and cookie files, and supports extracting this information from multiple browser types, from Chrome to Internet Explorer.

Furthermore, Gootkit can also log what users enter inside web forms. This doesn't only include passwords, but also payment card numbers.

Fox-IT said Gootkit also regularly takes screenshots of the infected user's desktop, gathers everything it can about the host's PC platform, and also collects data on secure hardware connected to a PC.

Not a big operation

In terms of size, the Gootkit operation is nowhere near the size of other malware botnets, such as Emotet or TrickBot.

However, its smaller size can be attributed to the way the Gootkit gang chooses to distribute its malware. Instead of using a shotgun approach that involves sending out massive amounts of email spam (malspam), Gootkit relies on campaigns aimed at small geographical areas.

That's why it rarely made any headlines in recent years. In a world dominated by reports on ransomware and cryptominers, we've rarely heard about Gootkit and its small-scale operations.

The most recent public reporting on any Gootkit activity was published in June, and detailed a very small-scale campaign that only targeted Italian users.

Fox-IT researchers said they've spotted the same campaign, but also others that targeted the users of French, Swiss, and Austrian banks, and even some cryptocurrency exchanges.

Two leaky MongoDB servers

But while the group has mostly been very careful about its operations, they seem to have recently made a mistake when two of their command and control servers suddenly became publicly accessible for a week in July.

It is unclear if the Gootkit gang forgot to set a password, or if a firewall blocking access to these servers went down. However, something happened, and these servers became exposed, were indexed by various IoT search engines, and eventually discovered by Diachenko over the summer.

The two servers were both running MongoDB, and based on their content, they appeared to be aggregating data from three Gootkit sub-botnets, and a total of 38,653 infected hosts.

Inside the databases, we found similarly-named MongoDB collections, which was only natural, since both servers were aggregating the same type of information.

We found MongoDB collections named "Luhnforms," which contained details about users' payment cards. We found about 15,000 entries in the two databases, supposedly representing details for 15,000 payment cards.

Each "Luhnforms" entry contained the site where the payment card data was collected, browser and PC details, and -- obviously -- the payment card details themselves, storedin plaintext.

In MongoDB collections named "Windowscredentials," the Gootkit malware also logged username and credentials for sites where users had registered an account or had logged in while the malware was active.

The collection's name suggests the malware was collecting Windows user credentials, but the data ZDNet analyzed suggested these credentials were for online accounts only.

Usernames and passwords were stored in cleartext, and according to Diachenko, there were 2,385,472 entries, although we suspect some entries are duplicates.

In the data we analyzed, we found credentials for all sorts of sites, from Polish ski shops to Envato marketplaces, and from Bulgarian government agencies to cryptocurrency exchanges.

The two Gootkit MongoDBs also contained configuration files that were being sent to infected hosts. These files contained links to other Gootkit modules. Infected hosts were supposed to download and run these modules to improve the malware's features.

The IP addresses of these servers were known to be malicious on sites like VirusTotal, along with the files offered for download. This helped us verify beyond a doubt that we were looking at an authentic malware operation.

Other Gootkit data

But this wasn't all that Gootkit was collecting. The malware also stole cookie files, took screenshots of the users' screen, and collected details about the infected computer's technical specs -- just like Fox-IT told us in our interview. [See image below for an idea what else was stored in the database.]

For each infected victim, the malware had collected details such as internal and public IP address, hostname, domain name, CPU details, memory details, if the system was a VM or not, ISP name, OS details, OS install date, MAC address, browser details, and more.

The amount of technical data collected from each victim was staggering and was more than enough to provide the Gootkit crew -- or anyone else -- with an in-depth view of the victim's life.

Gootkit operators would have had no difficulty in determining if a victim was using a home PC, a computer on a government network, or one on a closed enterprise intranet.

In the past year, malware botnets like Emotet and TrickBot have made a nice profit by providing "install space" on computers they infected. These two botnets rent access on infected computers to other criminal gangs, who use this access to drop additional malware, such as ransomware or cryptocurrency miners.

A premium is placed on computers found on enterprise or government networks, considered high-value systems.

While Gootkit has never been known to sell "install space" to other gangs, the large number of infected hosts found in these two leaky databases, along with the treasure trove of user data, could allow the gang to do so, if it ever wanted.

Databases secured after a week

But the Gootkit MongoDB databases did not remain exposed for long. Diachenko said he found the servers on July 4, and they were both taken down by July 10. Ever since then, the two servers have not leaked information again.

It is unclear if the Gootkit gang saw Diachenko sniffing through their servers, or if they took down the servers after running a limited campaign.

With the help of ZDNet, Diachenko provided a copy of the data to law enforcement authorities, but we have not heard anything back. Today, the researcher published his findings in a report on his company's blog.