Corebot

It has been reported that the variants of a new Trojan named as "Corebot", targeting financial institutions is spreading. The malware infects machines installed with Microsoft Windows operating systems. It propagates by means of drive- by-download attacks, email attachments and removable drives etc. Malware is capable of performing the following functions:

• Steals data such as stored credentials, web money wallets etc., from compromised machines.
• Capable of monitoring and hijacking web sessions.
• Launch man-in-the-middle attacks and hooks browsers like Firefox, IE, and Chrome etc.
• Injects itself in genuine windows processes (svchost.exe) and deletes itself.
• Capable of initiating VNC sessions.
• Make network connections to send exfiltrated data to C2 server.
• Capable of downloading and installing other malicious binaries or plugins on the victim's machine.
• Use Domain Generation Algorithms (DGA) to generated C2 domains dynamically for hiding C2 communications.

Aliases: Infostealer.Corebot [Symantec], Infostealer.Corebot!g1[Symantec], Win32/Corebot [Microsoft],

Indicators of Infection

File System Changes:
On successful installation, the file system changes made by the malware are given below:
Path:%UserProfile%\Application Data\Microsoft\[GUID]\[GUID].exe

Registry changes:

KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[GUID]"
Value: "%UserProfile%\Application Data\Microsoft\[GUID]\[GUID].exe"

Network Connections:

Malware communicates with its command and control server either to receive commands or upload exfiltrated data of the victim's machine. Some of the C2 servers are mentioned below:

• vincenzo-sorelli[dot]com
• http://[generated byDGA].ddns.net

Countermeasures:

• Delete the system changes made by the malware such as files created/ registry entries /services etc.
• Monitor and block traffic generated from client machines to the domains and IP address mentioned above.
• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
• Scan infected system with updated versions of Antivirus solution
• Disable Auto run and Auto play policies.
• Use limited privilege user on the computer or allow administrative access to systems with special administrative accounts for administrators.
• Limit or eliminate the use of shared or group accounts.
• Do not visit untrusted websites.
• Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
• Enforce a strong password policy and implement regular password changes.
• Enable a personal firewall on workstation.
• Install and scan anti malware engines and keep them up-to-date.
• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
• Disable unnecessary services on agency workstations and servers.
• Maintain situational awareness of the latest threats; implement appropriate ACLs.

References:

• https://www.symantec.com/security_response/writeup.jsp?docid=2015-090807-3306-99
• http://ae.norton.com/security_response/writeup.jsp?docid=2015-090807-3306-99&tabid=2
• https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Corebot
• https://www.alienvault.com/blogs/security-essentials/corebot-not-your-average-banking-trojan
• http://www.securityweek.com/corebot-becomes-full-fledged-banking-trojan
• https://threatpost.com/corebot-adds-new-capabilities-transitions-to-banking-trojan/114667/