Categories: Breaking NewsCyber CrimeMalware

Corebot is the new data Stealer discovered by IBm’s X-Force

Corebot is a new data stealer discovered by the experts at IBM Security X-Force while they were analyzing some endpoints protected by their solutions.

Corebot is the name of a new data stealer malware discovered by the experts at IBM Security X-Force while they were analyzing some endpoints protected by their product, the Trusteer Apex Advanced Malware Protection system.

“CoreBot appears to be quite modular, which means that its structure and internal makeup were programmed in a way that allows for the easy adding of new data theft and endpoint control mechanisms.

CoreBot was discovered while the researchers were studying the activity of malware on Trusteer-protected enterprise endpoints.” States the blog post published by IBM.

The experts discovered that the infection process relies on a dropper agent that once executed runs as “asvchost process in order to write the malware file to disk and then launch it.”

The GUID generated by this process it’s used “to define its persistence via a run key in the Windows Registry.”

“Next, CoreBot generates a globally unique identifier (GUID) using the CoCreateGuid API Call. The GUID is used by CoreBot to define its persistence via a run key in the Windows Registry. For example:”

RegSetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\f9111abc-8f81-200b-8b4a-bd8fd4a43b8h

In the early stages of the infection, only the CoreBot’s main module can be found in the infected endpoint.

CoreBot differs from the majority of data stealer in the use of a domain generation algorithm (DGA), although it is not presently activated. The DGA allows CoreBot to communicate with the C&C servers through dynamically generated domain names.

CoreBot’s DGA generates different domains for geographical zones of the botnet and for groups of bots defined by the botmaster. When the communication is made, the C&C server will provide the orders and plugins to execute those orders.

IBM researchers said, “Using Windows PowerShell, Microsoft’s task automation and configuration management framework, CoreBot can fetch other malware from the Internet, download and execute it on the infected PC,”, the same logic is used by the Corebot to update itself.

X-Force team concluded that Corebot targets sensitive information on the victim’s machine using the Stealer plugin, a component designed to syphon the passwords used in the browser, FTP clients, email clients, webmail accounts, private certificates, Crypto wallets, and many more credentials used by the victim.

The good news is that the antivirus solutions are able to detect CoreBot as a generic threat named Dynamer!ac and Eldorado, it is also important to highlight that Corebot is “currently incapable of intercepting real-time data from Web browsers,”.

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs – CoreBot, data stealer)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.