Corebot is the new data Stealer discovered by IBm’s X-Force

Corebot is a new data stealer discovered by the experts at IBM Security X-Force while they were analyzing some endpoints protected by their solutions.

Corebot is the name of a new data stealer malware discovered by the experts at IBM Security X-Force while they were analyzing some endpoints protected by their product, the Trusteer Apex Advanced Malware Protection system.

“CoreBot appears to be quite modular, which means that its structure and internal makeup were programmed in a way that allows for the easy adding of new data theft and endpoint control mechanisms.

CoreBot was discovered while the researchers were studying the activity of malware on Trusteer-protected enterprise endpoints.” States the blog post published by IBM.

The experts discovered that the infection process relies on a dropper agent that once executed runs as “asvchost process in order to write the malware file to disk and then launch it.”

The GUID generated by this process it’s used “to define its persistence via a run key in the Windows Registry.”

“Next, CoreBot generates a globally unique identifier (GUID) using the CoCreateGuid API Call. The GUID is used by CoreBot to define its persistence via a run key in the Windows Registry. For example:”

RegSetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\f9111abc-8f81-200b-8b4a-bd8fd4a43b8h

In the early stages of the infection, only the CoreBot’s main module can be found in the infected endpoint.

CoreBot differs from the majority of data stealer in the use of a domain generation algorithm (DGA), although it is not presently activated. The DGA allows CoreBot to communicate with the C&C servers through dynamically generated domain names.

CoreBot’s DGA generates different domains for geographical zones of the botnet and for groups of bots defined by the botmaster. When the communication is made, the C&C server will provide the orders and plugins to execute those orders.

IBM researchers said, “Using Windows PowerShell, Microsoft’s task automation and configuration management framework, CoreBot can fetch other malware from the Internet, download and execute it on the infected PC,”, the same logic is used by the Corebot to update itself.

X-Force team concluded that Corebot targets sensitive information on the victim’s machine using the Stealer plugin, a component designed to syphon the passwords used in the browser, FTP clients, email clients, webmail accounts, private certificates, Crypto wallets, and many more credentials used by the victim.

The good news is that the antivirus solutions are able to detect CoreBot as a generic threat named Dynamer!ac and Eldorado, it is also important to highlight that Corebot is “currently incapable of intercepting real-time data from Web browsers,”.

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs – CoreBot, data stealer)