CoreBOtThe CoreBot Malware caught the eyes of researchers late last month, when they discovered that it came equipped with a modular design.  At the time, CoreBot was a relatively minor threat on the Malware scale, a basic data stealer.  However, what made CoreBot special was that it could be modified to include additional mechanisms.   IBM researchers predicted this mutability would allow the malware to become a greater threat in the near future; a prediction which has come true.

Within just a few days, the CoreBot malware has evolved into a full-fledged banking Trojan.  As the malware evolved its functionality has greatly increased to include the following features:

  • Browser hooking for Internet Explorer, Firefox and Google Chrome;
  • Generic real-time form-grabbing;
  • A virtual network computing (VNC) module for remote control;
  • Man-in-the-middle (MitM) capabilities for session takeover;
  • Preconfigured URL triggers to target banks;
  • A custom webinjection mechanism;
  • On-the-fly webinjections from a remote server.

The new version of CoreBot monitors a user’s internet connection to see if any one of the 55 targeted URLs is visited by the victim. These URLs are associated with the websites of 33 financial institutions from the United States (62%), Canada (32%) and the United Kingdom (6%).

Once CoreBot identifies a connection to financial institution, it grabs the victim’s credentials and attempts to delay the user with loading screens and prompts for more personal information.  At this point, the malware controller is notified of banking activity and is given time to connect to the endpoint user.  From here, the malware controller can use the session cookie to overtake the Web session and initiate a transfer from the victims account.

CoreBot is a newcomer to the world of malware so isn’t as widespread as other Banking Trojans (Zeus) but given its early success, it is only time before it starts appearing in more campaigns.  A greater concern is the fact that CoreBots modular design gives it a flexibility not seen in other malware.  Over the coming months CoreBot could evolve further to include more advanced capabilities.

Security experts report that CoreBot is not currently sold on underground forums but as its notoriety increases that is likely to change.  If you notice any unusual activity during your online banking sessions you should report it to your institution immediately.

– Richard Keene
IT Computer Support of New York
Webmaster and Lead Designer