Dangerous CoreBot info-stealing malware discovered

IBM's X-Force research team has uncovered a new piece of data-swiping malware whose modular design allows it to be quickly altered and made even more dangerous.

CoreBot's main threat is its ability to steal passwords stored in the victim's browser in areas such as webmail accounts, e-wallets, private certificates and other personal data sources.

It also searchers for file transfer protocol (ftp) clients, email programs and sundry desktop applications. However, X-Force noted that CoreBot cannot currently intercept real-time data from web browsers.

CoreBot is installed via a dropper, and when executed, launches a Windows svchost process to write and launch the malware, at which point the dropper exits the computer.

Beyond stealing data from victims, CoreBot can also download and launch other malware. It also features a domain generation algorithm (DGA) that is currently not active.

The DGA is designed to enable malware botnets to talk to a central command and communications server via dynamically generated domain names that are only known to attackers, to prevent security researchers from taking down the malicious sites.

X-Force noted that two hardcoded domain names used by CoreBot for communication when it infects a target machine are registered with Russian physical addresses.

Even though CoreBot is described as a generic information swiper, the IBM team said it considered it quite dangerous and capable of inflicting a great deal of harm.

“Generic malware is frequently the sort of Trojan that harvests passwords indiscriminately, which ends up compromising a broader set of the user's personal accounts, including bank account credentials, email and e-wallets," the IBM report stated.

"When they land on an enterprise endpoint, information stealers gather email credentials, software keys and anything else saved on that drive that can be interesting to attackers. On top of that, it can download and execute other malware at will."

In CoreBot's case the danger is magnified by the malware's modular design. The X-Force report noted this enables it to be easily upgraded with new theft capabilities.

Defending against CoreBot and other malware is a long shot, and IBM recommended limiting its exposure through employee awareness and defensive software that can stop malware at the exploitation and launch stages.

Copyright © SC Magazine, Australia