CoreBot Can Steal Your Credentials, Download and Execute Malware

CoreBot is a new malware that steals user credentials and have the ability to cause a great amount of trouble.

This stealer malware is specifically designed with ample strength that it is quite easy to steal data from targeted victim and have the capability to control the computer, reveals a security report published by IBM.

Image Credit: Security Intelligence (IBM)
Image Credit: Security Intelligence (IBM)

It is relatively common for the security researchers to find information stealing malware, remote access tools (RATs), ransomware, and Trojans. But most of these researchers tend to ignore the information stealers because they seem to be less harmful which is why it affects a large number of organizations.

Limor Kessem, the Cybersecurity Evangelist of IBM, describes this new info stealer as:

“CoreBot, a new information stealer discovered and analyzed by IBM Security X-Force researchers, who indicate this is one malware piece to watch out for. CoreBot appears to be quite modular, which means that its structure and internal makeup were programmed in a way that allows for the easy adding of new data theft and endpoint control mechanisms.”

The security expert wrote that the discovery of CoreBot materialized when the researchers were reviewing the malware activity on the Trusteer-protected enterprise. Further studies discovered that the developer named the compiled file as “core” while at the moment antivirus detection systems are distinguishing this malware as Eldorado or Dynamer!ac.

CoreBot may appear artless at first glance, without real-time theft capabilities, it is more interesting on the inside,” Kessem said.

These info stealing botnets usually collect software keys, email credentials and anything else that is saved on the drive and seems interesting to the attackers. Moreover, it also has the capability to download and execute other harmful malware. Once stolen, all of these data are sold to the cyber criminals.

Kessem reveals that CoreBot gain access to the computers via droppers. “Once the dropper is executed, it launches a svc host process in order to write the malware file to disk and then launch it. The dropper then exits,” she said.

Modular Plugin System

Now, here comes the most interesting part of the CoreBot:

“CoreBot’s most interesting facility is its plugin system, enabling it to be modular and easily supplemented with new theft capabilities. CoreBot downloads plugins from its command-and-control (C&C) server right after setting its persistence mechanism on the endpoint. It then loads the plugins using the plugininit export function in the plugin’s DLL.”

CoreBot’s most essential feature is scanning and stealing saved passwords and linked credentials that are stored within the browsers. Furthermore, the info stealer can also search the whole computer for credentials stored within the mail clients, FTP clients, cryptocurrency wallets, web mail accounts and other desktop-based applications.

But what this malware cannot do is the real-time interception of data from the browsers.

Domain Generation Algorithm (DGA)

DGA is a feature that is specifically designed by attackers to provide malware botnets a capability to communicate with their command and control server.

CoreBot makes use of Domain Generation Algorithm (DGA), which is not used by most of the info stealers so this feature is something unique. But security researchers found out that DGA is not yet activated in the malware.

“With the DGA, the domain name is supposed to only be known in advance to the malware’s operator, thus preventing security researchers from being able to take down the site or for other criminals to hijack the botnet. In CoreBot’s case, the DGA parameters appear to generate different domains for geographical zones of the botnet and for groups of bots defined by the botmaster — a rather interesting concept for malware that is merely a generic stealer.”

Research found out that once the malware finds any computer that is infected, it automatically begins to communicate with two domains, vincenzo-sorelli[.]com and arijoputane[.]com. And according to the WHOIS details of these domains, both are registered by a Russian-based hacker and have same identifications.

Capability To Download And Launch Other Malware

Once CoreBot has infected the computer system, it can download, install and execute other malware from the Internet using tools like Microsoft task automation functionality, configuration management framework, and Windows PowerShell. By using these tools, CoreBot can also update itself to the latest version.

Report typos and corrections to admin@hackread.com

SourceIBM

Farzan Hussain

I am Mohammad Farzan! A technology and gadget enthusiast as well as a creative content writer with over six years of experience in writing engaging content. You will mostly find me writing occasional blog posts, designing websites, capturing photos, social networking and listening to music.