CoreBot has a big appetite for your passwords

Aug 30, 2015 11:26 GMT  ·  By

IBM Security X-Force is reporting on a new type of information stealing malware, codenamed CoreBot, which its security researchers came across while studying malware activity on business endpoints.

These enterprise endpoints were protected by the IBM's Trusteer Apex Advanced Malware Protection system, which allowed security engineers to discover, intercept, and dissect this new type of threat.

In-depth analysis of a CoreBot attack

According to their findings, infiltration occurs via a dropper agent that, when reaching the victim's computer, is executed, starting "a svchost process in order to write the malware file to disk and then launch it."

This process also generates a globally unique identifier (GUID), used "to define its persistence via a run key in the Windows Registry."

At this stage, only CoreBot's main module is present on the victim's PC.

This core module communicates via random generated domains with command-and-control (C&C) servers right after setting the registry key, asking for instructions.

The C&C server will then supply it with new orders, and the plugins to get these tasks accomplished.

CoreBot can download other malware and even update itself

"Using Windows PowerShell, Microsoft’s task automation and configuration management framework, CoreBot can fetch other malware from the Internet, download and execute it on the infected PC," say the IBM researchers.

The very same process is also used by CoreBot to update itself.

In most of the instances observed by the IBM team, CoreBot targeted sensitive information on the victim's PC, using a plugin called Stealer.

This plugin was specifically interested in acquiring passwords from browsers, FTP clients, email applications, Webmail accounts, private certificates, cryptocurrency wallets, and credentials from various other desktop software.

IBM security researchers report that CoreBot is "currently incapable of intercepting real-time data from Web browsers," and most antivirus engines detect it under generic names like Dynamer!ac and Eldorado.