When it comes to discovering new malware, it is much more common for researchers to run across information stealers, ransomware and remote-access tools (RATs) than it is to encounter brand new complex codes like banking Trojans or targeted attack tools such as Duqu.

Nonetheless, it is the lesser breeds, like information stealers and RATs, that are a lot more prolific in the wild. And while banking Trojans or targeted attacks are quite specific in what they do, information stealers are by far less discriminatory and thus end up affecting a greater number of people and organizations.

That brings us to CoreBot, a new information stealer discovered and analyzed by IBM Security X-Force researchers, who indicate this is one malware piece to watch out for. CoreBot appears to be quite modular, which means that its structure and internal makeup were programmed in a way that allows for the easy adding of new data theft and endpoint control mechanisms.

CoreBot was discovered while the researchers were studying the activity of malware on Trusteer-protected enterprise endpoints. The malware’s compiled file was named “core” by its developer. Antivirus engines do not specify this malware’s name yet and detect it under generic names such as Dynamer!ac or Eldorado. But while CoreBot may appear artless at first glance, without real-time theft capabilities, it is more interesting on the inside.

Stay ahead of threats with global threat intelligence and automated protection

Info Stealers: Prevalence and Risk Factors

When it comes to generic malware, many believe it is less targeted and therefore less damaging than more elaborate malcode. In reality, the opposite is true. Generic malware is frequently the sort of Trojan that harvests passwords indiscriminately, which ends up compromising a broader set of the user’s personal accounts, including bank account credentials, email and e-wallets. When they land on an enterprise endpoint, information stealers gather email credentials, software keys and anything else saved on that drive that can be interesting to attackers. On top of that, it can download and execute other malware at will.

Many times, infostealer Trojan botnets siphon this sort of data from a myriad of endpoints and trade it in the underground, selling it to cybercriminals who will find ways to use or monetize it.

In a recent report released by IBM Security about enterprise threats, data collected from Trusteer Apex Advanced Malware Protection showed that the most rampant type of malware targeting employee endpoints in July 2015 was info stealers.

CoreBot Infiltrates PCs via Dropper

To begin, CoreBot infiltrates new endpoints by means of a dropper. Once the dropper is executed, it launches a svchost process in order to write the malware file to disk and then launch it. The dropper then exits.

Sets Persistence

Next, CoreBot generates a globally unique identifier (GUID) using the CoCreateGuid API Call. The GUID is used by CoreBot to define its persistence via a run key in the Windows Registry. For example:

RegSetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\f9111abc-8f81-200b-8b4a-bd8fd4a43b8h

Modular Plugin System

CoreBot’s most interesting facility is its plugin system, enabling it to be modular and easily supplemented with new theft capabilities. CoreBot downloads plugins from its command-and-control (C&C) server right after setting its persistence mechanism on the endpoint. It then loads the plugins using the plugininit export function in the plugin’s DLL.

At present, the main plugin is called Stealer. The MD5 of that plugin is:


CoreBot steals passwords, but it is currently incapable of intercepting real-time data from Web browsers. Instead, it steals saved passwords stored in the endpoint’s browsers, scanning for passwords on all the most popular browsers.

CoreBot further searches an extensive list of FTP clients, mail clients, webmail accounts, cryptocurrency wallets, private certificates and personal data from a list of various desktop applications.

The example below shows how CoreBot scans for private certificates in store and then steals them:

Domain Generation Algorithm (DGA)

Unlike most information stealers, CoreBot has a domain generation algorithm (DGA) in place, although it is not presently activated. The DGA is a feature designed to enable malware botnets to communicate with their central C&C through dynamically generated domain names. With the DGA, the domain name is supposed to only be known in advance to the malware’s operator, thus preventing security researchers from being able to take down the site or for other criminals to hijack the botnet.

In CoreBot’s case, the DGA parameters appear to generate different domains for geographical zones of the botnet and for groups of bots defined by the botmaster — a rather interesting concept for malware that is merely a generic stealer.

Upon infection of a new endpoint, CoreBot calls home with a live signal and downloads the Stealer plugin. The malware communicates with two domains: vincenzo-sorelli[.]com and arijoputane[.]com.

Both of CoreBot’s communication domains were registered by the same person, email address and Russia-based physical address. A WHOIS lookup brings up personal details.

The Risks of CoreBot Malware for Organizations

Password and Data Collection

On infected employee endpoints, malware such as CoreBot can harvest access credentials to a plethora of resources used by the employee for work and for personal browsing. Since corporate passwords are all too often reused on other websites, fraudsters can attempt to use the stolen credentials to infiltrate the organization, send malware to other users and expand the overall compromise.

It is important to keep in mind that Trojan operators will typically exfiltrate confidential business data like customer information, budget plans or even confidential insider information. Therefore, even a few infected endpoints inside the organization can end in very significant data security consequences.

Download and Launch Other Malware

Using Windows PowerShell, Microsoft’s task automation and configuration management framework, CoreBot can fetch other malware from the Internet, download and execute it on the infected PC.

CoreBot downloads and launches new versions of the executable in order to update itself according to predefined parameters of the latest version on the infected machine.

Stop the Inevitable

Any malware on enterprise endpoints is bad news for the organization, but avoiding malware is, in reality, nearly impossible. In almost all cases of malware infiltrating employee endpoints, the malicious file was probably opened by the employee from unsolicited email or inadvertently contracted while browsing infected or watering-hole attack sites.

One of the best ways to protect enterprise endpoints is to supplement employee awareness with specialized protection that can stop malware at the exploitation or launch stages, but also stifle its data exfiltration attempts if it is already on the endpoint.

Proper detection and classification of malware like CoreBot, beyond merely generic designation, is necessary in order to properly assess the risk level it poses. Security Intelligence is writing about this because, although CoreBot isn’t very sophisticated right now, it is still new malware designed to be easily updated, and it could evolve into a more complex threat in the near future.

Learn more about Staying ahead of threats with global threat intelligence

more from Malware

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security…

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti…