CoreBot Adds New Capabilities, Transitions to Banking Trojan

Share this…

As researchers expected it would, CoreBot, the credential-stealing malware that surfaced last month, has added a bevy of new capabilities and reinvented itself as a robust banking Trojan.

Researchers said the malware shares more similarities with Dyre, another high profile banking Trojan, than a run of the mill data-stealing Trojan.

Perhaps the malware’s most telling characteristic is a new list of 55 URL triggers – triggers that researchers at IBM’s Security Intelligence claim are tied to a handful of online banking sites in the U.S., Canada, and the U.K. and can launch webinjects.

When the firm first published research on CoreBot late last month, researchers noted the malware’s flexibility, acknowledging its modular design as something that could potentially allow for the easy addition of new mechanisms later down the line.

CoreBot Adds New Capabilities, Transitions to Banking Trojan

Turns out, it didn’t take long for developers behind the malware to up the Trojan’s ante.

Similar to how Trojans such as Zeus, Dyre and Dridex work, CoreBot snakes the login information of victims, then tries to trick them into giving away more information.

“In its previous version, CoreBot was only defined as an information stealer because it did not possess the capabilities that would enable it to steal username and password combinations in real time from the victim’s browser. This has changed, and CoreBot now hooks the three most popular browsers — Google Chrome, Mozilla Firefox and Internet Explorer — to be able to monitor browsing, steal data and apply webinjections,” Limor Kessem, a Cybersecurity Evangelist with IBM, wrote of the malware last week.

According to Kessem, the malware uses a more-advanced, custom-made webinjection mechanism designed for banking credential theft. The malware has also incorporated a slew of other traits specific to banking Trojans such as man-in-the-middle capabilities, a VNC (virtual networking computing) module, and real-time form grabbing.

Now that the malware has matured into a full-fledged banking Trojan, speculation is beginning to mount whether or not some of the information it’s stealing is being sold online. In particular, researchers are wondering if a recently registered suspicious looking marketplace is peddling stolen CoreBot information.

Researchers with Damballa observed a sample of CoreBot last week communicating with a domain registered to a specific email address, drake.lampado777[at]gmail[.]com, that was also used to set up another domain, btcshop. Btcshop is being used to sell Socket Secure proxies and other personally identifiable information (PII) – something that’s led some researchers with the firm to believe there’s a relationship between the two.

Researchers with Damballa also noticed that two other domains communicating with the same IP address, including one being used as a Carberp command and control server, and another that’s hosting the TVSPY remote access tool (RAT), but it’s the btcshop, set up on July 30, that caught their attention the most.

While it’s a tenuous connection — Damballa isn’t completely certain the same person running CoreBot is the same person running TVSPY — the researchers insist it’s plausible.

“It would be convenient for the same person or a small group of people to be running malicious domains registered under the email and also running btcshop to sell their collected wares,” a blog entry on the company’s Day Before Zero Blog theorized on Friday.