Overnight Sensation — CoreBot Returns as a Full-Fledged Financial Malware

Just last month, Security Intelligence warned about a new and modular Trojan called CoreBot, indicating its internal structure suggested a new threat about to evolve.

CoreBot’s developers did not wait long. Within a matter of days, new samples of CoreBot, discovered and analyzed by IBM X-Force researchers, revealed that the malware has become a full-fledged banking Trojan — almost overnight. This seemingly quick evolution is most likely due to a longer development and testing phase that just recently ended.

What has been added to CoreBot to become a banking Trojan? In short:

            ·  Browser hooking for Internet Explorer, Firefox and Google Chrome;

            ·  Generic real-time form-grabbing;

            ·   A virtual network computing (VNC) module for remote control;

            ·  Man-in-the-middle (MitM) capabilities for session takeover;

            ·   Preconfigured URL triggers to target banks;

            ·   A custom web-injection mechanism;

            ·  On-the-fly webinjections from a remote server.

CoreBot’s Targets

CoreBot now comes with a list of 55 URL triggers that launch it into action. All triggers are online banking sites in the U.S., Canada and the U.K. The triggers include the corporate banking, business banking and private banking pages of 33 target financial institutions.

CoreBot’s configuration file appears to be using a trigger format that is very similar to Dyre’s, where not all URLs are very precise. Rather, the triggers are written in regular expressions (RegEx) format, which helps the Trojan fixate on URL patterns and thus target a wider array of financial institutions that use the same electronic banking platforms.

CoreBot’s New Financial M.O.

Read more about this malware here