The actors behind the information-stealing GootKit trojan apparently slipped up and left open two MongoDB databases last July, briefly exposing data that they had lifted from thousands upon thousands of infected victims.
Bob Diachenko, cyber threat intelligence director at Security Discovery, revealed in a company blog post yesterday that he spotted the open servers last July 5. By July 10, the actors seemed to become aware of the issue and made the data private.
Diachenko found 32 separate collections of data, including folders that contained, in plain text, victims’ passwords, system configuration details, bank accounts, mail account logins and credit card details, plus information on the online shops they visited. Altogether, Security Discovery counted 1,444,375 email accounts, 2,196,840 passwords and configuration pairs, and 752,645 usernames.
All of the the infected machines listed in the databases were based in Europe, the region that GootKit has historically targeted. Users in Poland, France, the U.K., Italy and Bulgaria were most often affected.
ZDNet, which first reported on the data leak and was granted access to the exposed dataset, reported yesterday that the two servers had been collecting data from three Gootkit sub-botnets and 38,653 infected hosts. The news outlet also reported that the two servers contained configuration files that were sent to infected hosts and contained links to additional Gootkit modules designed to enhance the malware’s features.
Originally debuted as a classic banking trojan in 2014, GootKit has evolved over time to become an adept information stealer, grabbing such data as