CoreBot: There's a New Information Stealing Malware in Town

Status
Not open for further replies.

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
CoreBot has a big appetite for your passwords
IBM Security X-Force is reporting on a new type information stealing malware, codenamed CoreBot, which its security researchers came across while studying malware activity on business endpoints.

These enterprise endpoints were protected by the IBM's Trusteer Apex Advanced Malware Protection system, which allowed security engineers to discover, intercept, and dissect these new type of threat.

In-depth analysis of a CoreBot attack
According to their findings, infiltration occurs via a dropper agent which when reaching the victim's computer is executed, starting "a svchost process in order to write the malware file to disk and then launch it."
This process also generates a globally unique identifier (GUID), used "to define its persistence via a run key in the Windows Registry."

At this stage, only CoreBot's main module is present on the victim's PC.

This core module communicates via random generated domains with command-and-control (C&C) servers right after setting the registry key, asking for instructions.

The C&C server will then supply it with new orders, and the plugins to get these tasks accomplished.

CoreBot can download other malware and even update itself
"Using Windows PowerShell, Microsoft’s task automation and configuration management framework, CoreBot can fetch other malware from the Internet, download and execute it on the infected PC," say the IBM researchers.

The very same process is also used by CoreBot to update itself.

In most of the instances observed by the IBM team, CoreBot targeted sensitive information on the victim's PC, using a plugin called Stealer.

This plugin was specifically interested in acquiring passwords from browsers, FTP clients, email applications, Webmail accounts, private certificates, cryptocurrency wallets, and credentials from various other desktop software.

IBM security researchers report that CoreBot is "currently incapable of intercepting real-time data from Web browsers," and most antivirus engines detect it under generic names like Dynamer!ac and Eldorado.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top