Corebot

Original Issue Date:- January 20, 2016
Virus Type:- Trojan

It has been reported that the variants of a new Trojan named as "Corebot", targeting financial institutions is spreading. The malware infects machines installed with Microsoft Windows operating systems. It propagates by means of drive- by-download attacks, email attachments and removable drives etc. Malware is capable of performing the following functions:

  • Steals data such as stored credentials, web money wallets etc., from compromised machines.
  • Capable of monitoring and hijacking web sessions.
  • Launch man-in-the-middle attacks and hooks browsers like Firefox, IE, and Chrome etc.
  • Injects itself in genuine windows processes (svchost.exe) and deletes itself.
  • Capable of initiating VNC sessions.
  • Make network connections to send exfiltrated data to C2 server.
  • Capable of downloading and installing other malicious binaries or plugins on the victim's machine.
  • Use Domain Generation Algorithms (DGA) to generated C2 domains dynamically for hiding C2 communications.

Aliases: Infostealer.Corebot [Symantec], Infostealer.Corebot!g1[Symantec], Win32/Corebot [Microsoft],

Indicators of Infection

File System Changes:
On successful installation, the file system changes made by the malware are given below:
Path:%UserProfile%\Application Data\Microsoft\[GUID]\[GUID].exe

Registry changes:

KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[GUID]"
Value: "%UserProfile%\Application Data\Microsoft\[GUID]\[GUID].exe"

Network Connections:

Malware communicates with its command and control server either to receive commands or upload exfiltrated data of the victim's machine. Some of the C2 servers are mentioned below:

  • vincenzo-sorelli[dot]com
  • http://[generated byDGA].ddns.net

Countermeasures:

  • Delete the system changes made by the malware such as files created/ registry entries /services etc.
  • Monitor and block traffic generated from client machines to the domains and IP address mentioned above.
  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
  • Scan infected system with updated versions of Antivirus solution
  • Disable Auto run and Auto play policies.
  • Use limited privilege user on the computer or allow administrative access to systems with special administrative accounts for administrators.
  • Limit or eliminate the use of shared or group accounts.
  • Do not visit untrusted websites.
  • Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
  • Enforce a strong password policy and implement regular password changes.
  • Enable a personal firewall on workstation.
  • Install and scan anti malware engines and keep them up-to-date.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Disable unnecessary services on agency workstations and servers.
  • Maintain situational awareness of the latest threats; implement appropriate ACLs.

References: