When it comes to discovering new malware, it is much more common for researchers to run across information stealers, ransomware and remote-access tools (RATs) than it is to encounter brand new complex codes like banking Trojans or targeted attack tools such as Duqu.

Nonetheless, it is the lesser breeds, like information stealers and RATs, that are a lot more prolific in the wild. And while banking Trojans or targeted attacks are quite specific in what they do, information stealers are by far less discriminatory and thus end up affecting a greater number of people and organizations.

That brings us to CoreBot, a new information stealer discovered and analyzed by IBM Security X-Force researchers, who indicate this is one malware piece to watch out for. CoreBot appears to be quite modular, which means that its structure and internal makeup were programmed in a way that allows for the easy adding of new data theft and endpoint control mechanisms.

CoreBot was discovered while the researchers were studying the activity of malware on Trusteer-protected enterprise endpoints. The malware’s compiled file was named “core” by its developer. Antivirus engines do not specify this malware’s name yet and detect it under generic names such as Dynamer!ac or Eldorado. But while CoreBot may appear artless at first glance, without real-time theft capabilities, it is more interesting on the inside.

Stay ahead of threats with global threat intelligence and automated protection

Info Stealers: Prevalence and Risk Factors

When it comes to generic malware, many believe it is less targeted and therefore less damaging than more elaborate malcode. In reality, the opposite is true. Generic malware is frequently the sort of Trojan that harvests passwords indiscriminately, which ends up compromising a broader set of the user’s personal accounts, including bank account credentials, email and e-wallets. When they land on an enterprise endpoint, information stealers gather email credentials, software keys and anything else saved on that drive that can be interesting to attackers. On top of that, it can download and execute other malware at will.

Many times, infostealer Trojan botnets siphon this sort of data from a myriad of endpoints and trade it in the underground, selling it to cybercriminals who will find ways to use or monetize it.

In a recent report released by IBM Security about enterprise threats, data collected from Trusteer Apex Advanced Malware Protection showed that the most rampant type of malware targeting employee endpoints in July 2015 was info stealers.

CoreBot Infiltrates PCs via Dropper

To begin, CoreBot infiltrates new endpoints by means of a dropper. Once the dropper is executed, it launches a svchost process in order to write the malware file to disk and then launch it. The dropper then exits.

Sets Persistence

Next, CoreBot generates a globally unique identifier (GUID) using the CoCreateGuid API Call. The GUID is used by CoreBot to define its persistence via a run key in the Windows Registry. For example:

RegSetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\f9111abc-8f81-200b-8b4a-bd8fd4a43b8h

Scroll to view full table

Modular Plugin System

CoreBot’s most interesting facility is its plugin system, enabling it to be modular and easily supplemented with new theft capabilities. CoreBot downloads plugins from its command-and-control (C&C) server right after setting its persistence mechanism on the endpoint. It then loads the plugins using the plugininit export function in the plugin’s DLL.

At present, the main plugin is called Stealer. The MD5 of that plugin is:

ce890607d0f0581a1afc9b3a8f6e012d

Scroll to view full table

CoreBot steals passwords, but it is currently incapable of intercepting real-time data from Web browsers. Instead, it steals saved passwords stored in the endpoint’s browsers, scanning for passwords on all the most popular browsers.

CoreBot further searches an extensive list of FTP clients, mail clients, webmail accounts, cryptocurrency wallets, private certificates and personal data from a list of various desktop applications.

The example below shows how CoreBot scans for private certificates in store and then steals them:

Domain Generation Algorithm (DGA)

Unlike most information stealers, CoreBot has a domain generation algorithm (DGA) in place, although it is not presently activated. The DGA is a feature designed to enable malware botnets to communicate with their central C&C through dynamically generated domain names. With the DGA, the domain name is supposed to only be known in advance to the malware’s operator, thus preventing security researchers from being able to take down the site or for other criminals to hijack the botnet.

In CoreBot’s case, the DGA parameters appear to generate different domains for geographical zones of the botnet and for groups of bots defined by the botmaster — a rather interesting concept for malware that is merely a generic stealer.

Upon infection of a new endpoint, CoreBot calls home with a live signal and downloads the Stealer plugin. The malware communicates with two domains: vincenzo-sorelli[.]com and arijoputane[.]com.

Both of CoreBot’s communication domains were registered by the same person, email address and Russia-based physical address. A WHOIS lookup brings up personal details.

The Risks of CoreBot Malware for Organizations

Password and Data Collection

On infected employee endpoints, malware such as CoreBot can harvest access credentials to a plethora of resources used by the employee for work and for personal browsing. Since corporate passwords are all too often reused on other websites, fraudsters can attempt to use the stolen credentials to infiltrate the organization, send malware to other users and expand the overall compromise.

It is important to keep in mind that Trojan operators will typically exfiltrate confidential business data like customer information, budget plans or even confidential insider information. Therefore, even a few infected endpoints inside the organization can end in very significant data security consequences.

Download and Launch Other Malware

Using Windows PowerShell, Microsoft’s task automation and configuration management framework, CoreBot can fetch other malware from the Internet, download and execute it on the infected PC.

CoreBot downloads and launches new versions of the executable in order to update itself according to predefined parameters of the latest version on the infected machine.

Stop the Inevitable

Any malware on enterprise endpoints is bad news for the organization, but avoiding malware is, in reality, nearly impossible. In almost all cases of malware infiltrating employee endpoints, the malicious file was probably opened by the employee from unsolicited email or inadvertently contracted while browsing infected or watering-hole attack sites.

One of the best ways to protect enterprise endpoints is to supplement employee awareness with specialized protection that can stop malware at the exploitation or launch stages, but also stifle its data exfiltration attempts if it is already on the endpoint.

Proper detection and classification of malware like CoreBot, beyond merely generic designation, is necessary in order to properly assess the risk level it poses. Security Intelligence is writing about this because, although CoreBot isn’t very sophisticated right now, it is still new malware designed to be easily updated, and it could evolve into a more complex threat in the near future.

Learn more about Staying ahead of threats with global threat intelligence

More from Malware

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read