- Jan 8, 2011
- 22,361
SECURITYINTELLIGENCE.COM - Overnight Evolution: CoreBot Returns as a Full-Fledged Financial Malware
Just last month, Security Intelligence warned about a new and modular Trojan called CoreBot, indicating its internal structure suggested a new threat about to evolve.
CoreBot’s developers did not wait long. Within a matter of days, new samples of CoreBot, discovered and analyzed by IBM X-Force researchers, revealed that the malware has become a full-fledged banking Trojan — almost overnight. This seemingly quick evolution is most likely due to a longer development and testing phase that just recently ended.
What has been added to CoreBot to become a banking Trojan? In short:
PREVIOUSLY REPORTED IN AUGUST - Watch Out for CoreBot, New Stealer Malware in the Wild
ZDNET.COM - CoreBot malware evolves overnight into virulent banking Trojan | ZDNet
"According to IBM, CoreBot contains a list of 55 URLs which launch it into action. The URLs relate to online banking services in the US, Canada and the United Kingdom.
Instead of sticking to its original password theft mechanisms, the new-and-improved CoreBot now grabs victim credentials and uses social engineering techniques to entice a victim into handing out more sensitive data. The controller is then alerted once a session is authenticated. To give the hacker time to get online, interrupt and control the session, CoreBot uses a wait screen as a stalling technique.
At this point, the fraudster can use the session cookie to merge into the same Web session and take over to initiate a transaction or modify the parameters of an existing transfer. The money is subsequently sent to an account the fraudster controls."
Just last month, Security Intelligence warned about a new and modular Trojan called CoreBot, indicating its internal structure suggested a new threat about to evolve.
CoreBot’s developers did not wait long. Within a matter of days, new samples of CoreBot, discovered and analyzed by IBM X-Force researchers, revealed that the malware has become a full-fledged banking Trojan — almost overnight. This seemingly quick evolution is most likely due to a longer development and testing phase that just recently ended.
What has been added to CoreBot to become a banking Trojan? In short:
- Browser hooking for Internet Explorer, Firefox and Google Chrome;
- Generic real-time form-grabbing;
- A virtual network computing (VNC) module for remote control;
- Man-in-the-middle (MitM) capabilities for session takeover;
- Preconfigured URL triggers to target banks;
- A custom webinjection mechanism;
- On-the-fly webinjections from a remote server.
PREVIOUSLY REPORTED IN AUGUST - Watch Out for CoreBot, New Stealer Malware in the Wild
ZDNET.COM - CoreBot malware evolves overnight into virulent banking Trojan | ZDNet
"According to IBM, CoreBot contains a list of 55 URLs which launch it into action. The URLs relate to online banking services in the US, Canada and the United Kingdom.
Instead of sticking to its original password theft mechanisms, the new-and-improved CoreBot now grabs victim credentials and uses social engineering techniques to entice a victim into handing out more sensitive data. The controller is then alerted once a session is authenticated. To give the hacker time to get online, interrupt and control the session, CoreBot uses a wait screen as a stalling technique.
At this point, the fraudster can use the session cookie to merge into the same Web session and take over to initiate a transaction or modify the parameters of an existing transfer. The money is subsequently sent to an account the fraudster controls."
