CoreBot - A New Malware Detected By IBM's X-Force.


What is Corebot

coreBot - a new data stealer malware detected by the experts at IBM Security X-Force while they were evaluating some endpoints protected by their security solution, the Trusteer Apex - An Advanced Malware Protection system.


CoreBot was detected while the researchers were examining the movement of malware on Trusteer-protected enterprise endpoints.” disclosed by IBM.
In the early stages of the infection, only the CoreBot’s main module can be found in the infected endpoint.

About CoreBot

“CoreBot seems extensible ,i.e. its architecture and internal design were setup in a way that permits easy adding of  new data theft and endpoint control system.

How It Works

The security-researcher explored that the infection mechanism depends on a dropper agent that once executed & runs as “asvchost" process so as to write the malware file to disk and then initiate itself.

Then, CoreBot creates a GUID i.e. Globally Unique Identifier using the CoCreateGuid API Call.

 The generated GUID is then used by CoreBot to describes its continuity via a run key within Windows Registry. 
e.g.:-RegSetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\f9111abc-8f81-200b-8b4a-bd8fd4a43b8h


CoreBot varies from the number of malware that uses Domain Generation Algorithm (DGA), though it's not currently activated. The DGA allows CoreBot to establish connection with the C&C servers by using dynamically generated domain names defined by the botmaster to execute the command given by C&C servers


IBM researchers said, By using Windows "PowerShell"- Microsoft’s task automation and configuration management framework,CoreBot can gather other malware from the Web, download and initiate it on the infected PC.It also uses the same logic to update itself.


X-Force team states that Corebot infects the victim’s machine and uses a Stealer plugin that is created to syphon the passwords used in the browser, FTP & Mail clients, webmail accounts, private certificates, Crypto wallets, and plenty of  credentials that are used by the victim.

Current Status

Antivirus product are able to detect CoreBot as a generic Win32/Trojan Dynamer!ac and Eldorado.
Corebot is “currently incapable of intercepting real-time data from Web browsers,”.

Post a Comment