Corebot
Original Issue Date:- January 20, 2016
Virus Type:- Trojan
It has been reported that the variants of a new Trojan named as
- Steals data such as stored credentials, web money wallets etc., from compromised machines.
- Capable of monitoring and hijacking web sessions.
- Launch man-in-the-middle attacks and hooks browsers like Firefox, IE, and Chrome etc.
- Injects itself in genuine windows processes (svchost.exe) and deletes itself.
- Capable of initiating VNC sessions.
- Make network connections to send exfiltrated data to C2 server.
- Capable of downloading and installing other malicious binaries or plugins on the victim's machine.
- Use Domain Generation Algorithms (DGA) to generated C2 domains dynamically for hiding C2 communications.
Aliases: Infostealer.Corebot [Symantec], Infostealer.Corebot!g1[Symantec], Win32/Corebot [Microsoft],
Indicators of Infection
File System Changes:
On successful installation, the file system changes made by the malware are given below:
Path:%UserProfile%\Application Data\Microsoft\[GUID]\[GUID].exe
Registry changes:
KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[GUID]"
Value: "%UserProfile%\Application Data\Microsoft\[GUID]\[GUID].exe"
Network Connections:
Malware communicates with its command and control server either to receive commands or upload exfiltrated data of the victim's machine. Some of the C2 servers are mentioned below:
- vincenzo-sorelli[dot]com
- http://[generated byDGA].ddns.net
Countermeasures:
- Delete the system changes made by the malware such as files created/ registry entries /services etc.
- Monitor and block traffic generated from client machines to the domains and IP address mentioned above.
- Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
- Scan infected system with updated versions of Antivirus solution
- Disable Auto run and Auto play policies.
- Use limited privilege user on the computer or allow administrative access to systems with special administrative accounts for administrators.
- Limit or eliminate the use of shared or group accounts.
- Do not visit untrusted websites.
- Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
- Enforce a strong password policy and implement regular password changes.
- Enable a personal firewall on workstation.
- Install and scan anti malware engines and keep them up-to-date.
- Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
- Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
- Disable unnecessary services on agency workstations and servers.
- Maintain situational awareness of the latest threats; implement appropriate ACLs.
References:
- https://www.symantec.com/security_response/writeup.jsp?docid=2015-090807-3306-99
- http://ae.norton.com/security_response/writeup.jsp?docid=2015-090807-3306-99&tabid=2
- https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Corebot
- https://www.alienvault.com/blogs/security-essentials/corebot-not-your-average-banking-trojan
- http://www.securityweek.com/corebot-becomes-full-fledged-banking-trojan
- https://threatpost.com/corebot-adds-new-capabilities-transitions-to-banking-trojan/114667/