The modular CoreBot malware has risen in sophistication almost overnight through the application of new banking data theft capabilities.
Last month, researchers from IBM Security X-Force explained the inner workings of CoreBot, a strain of malware with an inbuilt modular design. While not sophisticated and fairly basic at the time, the malware caught the eye of researchers due to the future risks it could represent.
CoreBot differs from standard malware as the code allows the bolt-on of additional mechanisms, ranging from endpoint control and data theft modules to fresh exploits taking advantage of zero-day vulnerabilities.
After infecting a system, the malware uses a dropper to write the malware file and implant itself through a Windows Registry Key. At the time, the only module within CoreBot related to password theft through an Internet browser.
At the time, IBM’s team said the malware wasn’t very sophisticated but could “evolve into a more complex threat in the near future.” This prediction has come true, perhaps sooner than the researchers expected.
On Thursday, the firm’s security team said CoreBot has transformed within a matter of days into a fully-fledged banking Trojan.
CoreBot now contains modules for Internet Explorer, Firefox and Google Chrome browser hooking and form grabbing, a virtual network computing (VNC) module for remote control, preconfigured URL triggers for targeting banks, a custom webinjection mechanism and the ability to pull on-the-fly webinjections from remote servers.
In addition, the malware can now perform man-in-the-middle (MITM) attacks — an important component for banking Trojans. MITM attacks occur when a supposedly secure channel is compromised, leading to sensitive data leaks and eavesdropping.
According to IBM, CoreBot contains a list of 55 URLs which launch it into action. The URLs relate to online banking services in the US, Canada and the United Kingdom.
Instead of sticking to its original password theft mechanisms, the new-and-improved CoreBot now grabs victim credentials and uses social engineering techniques to entice a victim into handing out more sensitive data. The controller is then alerted once a session is authenticated. To give the hacker time to get online, interrupt and control the session, CoreBot uses a wait screen as a stalling technique.
“At this point, the fraudster can use the session cookie to merge into the same web session and take over to initiate a transaction or modify the parameters of an existing transfer. The money is subsequently sent to an account the fraudster controls,” the researchers explained.
While CoreBot is not as widespread as other well-known banking Trojans, such as Zeus, IBM says it is only “a matter of time” before the malware starts appearing in targeted campaigns — and its capabilities may be increased further.
At this moment in time CoreBot is not being sold on the underground, but this could also change in the future.