14 DAY TRIAL // CoreBot, a tiny info stealer discovered by IBM security researchers at the end of August, has been seen in the wild gathering banking and financial information, and carrying attacks on users in Canada, the US and the UK.
After previously documenting its simplistic mode of operation, the IBM Security X-Force team is now in awe of the highly advanced browser hooking and Web injection capabilities the CoreBot malware added to its arsenal, seemingly overnight.
While CoreBot version 1 seemed only capable of stealing passwords from browsers, FTP clients, email applications, Webmail accounts, private certificates, cryptocurrency wallets, and various desktop software, the new CoreBot can be safely categorized as a banking trojan.
CoreBot added a lot of high-end features to its core
This is because, besides info-stealing capabilities, CoreBot can now hook into Web browsers at runtime, grab data from Web forms in real time, and perform MitM (man-in-the-middle) attacks and steal session cookies.
This data is then sent to remote servers, and using a VNC (Virtual Network Computing) component, CoreBot will allow attackers to take control of browser sessions from remote locations.
According to IBM researchers, CoreBot is now specifically designed to target online banking websites, coming pre-configured with a list of 55 URL triggers, which spring the malware into action every time the user is accessing a Web banking portal.
IBM says these URLs target banking pages of 33 financial institutions, but that they are also built using regular expressions (regex), which means they can adapt to target other banking portals if their links use similar URL schemes.
How a CoreBot v2 attack works
The basic steps of a CoreBot attack are as follows. First, after infecting a computer, CoreBot lies in waiting, collecting all the passwords it can, from the computer or from the user's browsers (even in real time).
It watches the user's browser activity, and when one of its URL triggers detects a banking portal being accessed, it collects the victim's credentials.
After the user has authenticated on the banking website, it sends an IM message to its owner, while also delaying the victim by showing them a classic "please wait" message.
If the fraudster is online, he will then use the data sent by the CoreBot trojan (session cookie and user credentials) and merge into the active Web session, intercepting transaction details, initiating new ones, and rerouting funds to his own accounts.