What is CoreBOT Malware?

The malware's name comes from the file's creator, who named it "core." The Trojan is deployed through a drop file that leaves the target system as soon as the CoreBot is run. To stay alive, the thief installs a code to the Windows Registry.

The virus can harvest passwords, and the modular plugin makes it easy for the developer to add other features. CoreBot can't intercept data in real-time at the moment, but it poses a danger to email clients, wallets, FTP clients, private certificates, and a few desktop programs.

The sophisticated banking malware CoreBot is making a reappearance to target online banking users via phishing emails, according to security researchers. During the summer of 2015, the nasty CoreBot malware was most active. Deep Instinct researchers discovered a new, updated strain of the virus being spread via malicious spam emails, including Microsoft Office documents.

How Does the CoreBOT Malware Work?

The virus infects Internet Explorer, Firefox, and Chrome, allowing it to track your browsing history, steal forms you fill out, and do web injections. The form-grabber kicks in when it identifies a relevant website and steals your personal information.

The web injections are then turned on, causing a phishing page to appear, tricking you into providing further information. When the cybercriminals behind the fraud are detected, they use a Man-in-the-Middle (MitM) assault to seize control of the session in real-time.

A "please wait" message keeps you occupied while the hacker establishes a virtual network computing (VNC) connection to your targeted destination. Once inside, the cyberthief either starts new transactions or hijacks the current one.

CoreBot presently connects with two domains − vincenzo-sorelli[.]com and arijoputane[.]com, where the Stealer plugin is downloaded. The domains are all registered to the same person who lives in Russia. The infection also downloads malware from the Internet and updates itself via Windows Power Shell and Microsoft automation and configuration management capabilities.

If information-stealing malware like CoreBot infects workplace endpoints, it may steal passwords to important networked resources or use work credentials to syphon personal data from sites outside the firm, according to IBM.

How Did the CoreBot Malware Evolve?

Researchers were interested in the CoreBot Malware when they realized that it has a modular design. CoreBot was a low- danger on the Malware scale at the time, a simple data stealer. CoreBot, on the other hand, was unique in that it could be customized to accommodate new mechanisms. The malware's mutability, according to IBM experts, will allow it to become a larger menace in the near future, a prediction that has come true.

The CoreBot infection has developed into a full-fledged banking Trojan in just a few days. The malware's capability has grown significantly over time, and it now includes the following features −

  • Internet Explorer, Firefox, and Google Chrome browser hooks;

  • Form-grabbing in real-time that is generic;

  • VNC (virtual network computing) is a remote control module.

  • Capabilities for man-in-the-middle (MitM) session takeover;

  • URL triggers to target banks that have been pre-configured;

  • A web injection method that is unique to you;

  • Web injections from a remote server on the fly.

The updated version of CoreBot monitors a user's internet connection to check if the victim visits any of the 55 targeted URLs. These URLs go to the websites of 33 financial institutions from the United States (62%), Canada (32%), and the United Kingdom (32%).

When CoreBot detects a connection to a financial institution, it steals the victim's credentials and uses loading screens, and asks for further personal information to delay the user. The malware controller is alerted of banking activity at this moment and given time to interact with the endpoint user. From here, the malware controller can take control of the Web session and initiate a transfer from the victim's account by using the session cookie.

Updated on: 09-Jun-2022


Kickstart Your Career

Get certified by completing the course

Get Started