August 28, 2015 By Limor Kessem
Martin Korman
5 min read

When it comes to discovering new malware, it is much more common for researchers to run across information stealers, ransomware and remote-access tools (RATs) than it is to encounter brand new complex codes like banking Trojans or targeted attack tools such as Duqu.

Nonetheless, it is the lesser breeds, like information stealers and RATs, that are a lot more prolific in the wild. And while banking Trojans or targeted attacks are quite specific in what they do, information stealers are by far less discriminatory and thus end up affecting a greater number of people and organizations.

That brings us to CoreBot, a new information stealer discovered and analyzed by IBM Security X-Force researchers, who indicate this is one malware piece to watch out for. CoreBot appears to be quite modular, which means that its structure and internal makeup were programmed in a way that allows for the easy adding of new data theft and endpoint control mechanisms.

CoreBot was discovered while the researchers were studying the activity of malware on Trusteer-protected enterprise endpoints. The malware’s compiled file was named “core” by its developer. Antivirus engines do not specify this malware’s name yet and detect it under generic names such as Dynamer!ac or Eldorado. But while CoreBot may appear artless at first glance, without real-time theft capabilities, it is more interesting on the inside.

Stay ahead of threats with global threat intelligence and automated protection

Info Stealers: Prevalence and Risk Factors

When it comes to generic malware, many believe it is less targeted and therefore less damaging than more elaborate malcode. In reality, the opposite is true. Generic malware is frequently the sort of Trojan that harvests passwords indiscriminately, which ends up compromising a broader set of the user’s personal accounts, including bank account credentials, email and e-wallets. When they land on an enterprise endpoint, information stealers gather email credentials, software keys and anything else saved on that drive that can be interesting to attackers. On top of that, it can download and execute other malware at will.

Many times, infostealer Trojan botnets siphon this sort of data from a myriad of endpoints and trade it in the underground, selling it to cybercriminals who will find ways to use or monetize it.

In a recent report released by IBM Security about enterprise threats, data collected from Trusteer Apex Advanced Malware Protection showed that the most rampant type of malware targeting employee endpoints in July 2015 was info stealers.

CoreBot Infiltrates PCs via Dropper

To begin, CoreBot infiltrates new endpoints by means of a dropper. Once the dropper is executed, it launches a svchost process in order to write the malware file to disk and then launch it. The dropper then exits.

Sets Persistence

Next, CoreBot generates a globally unique identifier (GUID) using the CoCreateGuid API Call. The GUID is used by CoreBot to define its persistence via a run key in the Windows Registry. For example:

RegSetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\f9111abc-8f81-200b-8b4a-bd8fd4a43b8h

Scroll to view full table

Modular Plugin System

CoreBot’s most interesting facility is its plugin system, enabling it to be modular and easily supplemented with new theft capabilities. CoreBot downloads plugins from its command-and-control (C&C) server right after setting its persistence mechanism on the endpoint. It then loads the plugins using the plugininit export function in the plugin’s DLL.

At present, the main plugin is called Stealer. The MD5 of that plugin is:

ce890607d0f0581a1afc9b3a8f6e012d

Scroll to view full table

CoreBot steals passwords, but it is currently incapable of intercepting real-time data from Web browsers. Instead, it steals saved passwords stored in the endpoint’s browsers, scanning for passwords on all the most popular browsers.

CoreBot further searches an extensive list of FTP clients, mail clients, webmail accounts, cryptocurrency wallets, private certificates and personal data from a list of various desktop applications.

The example below shows how CoreBot scans for private certificates in store and then steals them:

Domain Generation Algorithm (DGA)

Unlike most information stealers, CoreBot has a domain generation algorithm (DGA) in place, although it is not presently activated. The DGA is a feature designed to enable malware botnets to communicate with their central C&C through dynamically generated domain names. With the DGA, the domain name is supposed to only be known in advance to the malware’s operator, thus preventing security researchers from being able to take down the site or for other criminals to hijack the botnet.

In CoreBot’s case, the DGA parameters appear to generate different domains for geographical zones of the botnet and for groups of bots defined by the botmaster — a rather interesting concept for malware that is merely a generic stealer.

Upon infection of a new endpoint, CoreBot calls home with a live signal and downloads the Stealer plugin. The malware communicates with two domains: vincenzo-sorelli[.]com and arijoputane[.]com.

Both of CoreBot’s communication domains were registered by the same person, email address and Russia-based physical address. A WHOIS lookup brings up personal details.

The Risks of CoreBot Malware for Organizations

Password and Data Collection

On infected employee endpoints, malware such as CoreBot can harvest access credentials to a plethora of resources used by the employee for work and for personal browsing. Since corporate passwords are all too often reused on other websites, fraudsters can attempt to use the stolen credentials to infiltrate the organization, send malware to other users and expand the overall compromise.

It is important to keep in mind that Trojan operators will typically exfiltrate confidential business data like customer information, budget plans or even confidential insider information. Therefore, even a few infected endpoints inside the organization can end in very significant data security consequences.

Download and Launch Other Malware

Using Windows PowerShell, Microsoft’s task automation and configuration management framework, CoreBot can fetch other malware from the Internet, download and execute it on the infected PC.

CoreBot downloads and launches new versions of the executable in order to update itself according to predefined parameters of the latest version on the infected machine.

Stop the Inevitable

Any malware on enterprise endpoints is bad news for the organization, but avoiding malware is, in reality, nearly impossible. In almost all cases of malware infiltrating employee endpoints, the malicious file was probably opened by the employee from unsolicited email or inadvertently contracted while browsing infected or watering-hole attack sites.

One of the best ways to protect enterprise endpoints is to supplement employee awareness with specialized protection that can stop malware at the exploitation or launch stages, but also stifle its data exfiltration attempts if it is already on the endpoint.

Proper detection and classification of malware like CoreBot, beyond merely generic designation, is necessary in order to properly assess the risk level it poses. Security Intelligence is writing about this because, although CoreBot isn’t very sophisticated right now, it is still new malware designed to be easily updated, and it could evolve into a more complex threat in the near future.

Learn more about Staying ahead of threats with global threat intelligence

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today