A new piece of data-stealing malware has a real thirst for credentials—and the potential for worse trouble down the line.
IBM today published a report on CoreBot, generic information-stealing malware designed with enough flexibility to soon ramp up its capabilities to exfiltrate data in real time.
“CoreBot appears to be quite modular, which means that its structure and internal makeup were programmed in a way that allows for the easy adding of new data theft and endpoint control mechanisms,” wrote IBM security evangelist Limor Kessem.
Right now, IBM said some security detection systems are flagging CoreBot as Dynamer!ac or Eldorado. For now, it seems content vacuuming up system and email credentials, as well as software keys; all of the stolen data has value to cybercrime groups.
The worrisome part of CoreBot, IBM said, is its modular design.
“CoreBot’s most interesting facility is its plugin system, enabling it to be modular and easily supplemented with new theft capabilities,” Kessem said. “CoreBot downloads plugins from its command-and-control (C&C) server right after setting its persistence mechanism on the endpoint. It then loads the plugins using the plugininit export function in the plugin’s DLL.”
The lone plugin CoreBot uses right now is called Stealer, IBM said. It steals passwords saved in the browser and is capable of scanning all major browsers for credentials. It also searches a long list of FTP clients, mail clients, Webmail services, cryptocurrency wallets, private certs and data from desktop applications. IBM said, however, that CoreBot cannot yet steal browser data in real time.
“Generic malware is frequently the sort of Trojan that harvests passwords indiscriminately, which ends up compromising a broader set of the user’s personal accounts, including bank account credentials, email and e-wallets,” Kessem said. “When they land on an enterprise endpoint, information stealers gather email credentials, software keys and anything else saved on that drive that can be interesting to attackers. On top of that, it can download and execute other malware at will.”
IBM also spotted a de-activated domain generation algorithm in the malware; the algorithm builds domains geographically according to where the infected bots are located.
“A rather interesting concept for malware that is merely a generic stealer,” Kessem said. “With the DGA, the domain name is supposed to only be known in advance to the malware’s operator, thus preventing security researchers from being able to take down the site or for other criminals to hijack the botnet.”
CoreBot currently communicates with two domains—vincenzo-sorelli[.]com and arijoputane[.]com—from where it downloads the Stealer plugin. The domains are registered to the same individual at a Russian address. The malware also uses Windows Power Shell and Microsoft automation and configuration management tools to download malware from the Internet, as well as update itself.
IBM cautions that should information-stealing malware such as CoreBot infect enterprise endpoints, it can steal credentials to critical networked resources, or use work credentials on sites outside the organization to siphon personal data.
“It is important to keep in mind that Trojan operators will typically exfiltrate confidential business data like customer information, budget plans or even confidential insider information,” Kessem said. “Therefore, even a few infected endpoints inside the organization can end in very significant data security consequences.”