Corebot, TVSPY and shady marketplace possibly correlated

Damballa reports that one Corebot-involved email address appears to indicate that some stolen data is being sold on a nefarious digital marketplace.
Damballa reports that one Corebot-involved email address appears to indicate that some stolen data is being sold on a nefarious digital marketplace.

Following the discovery of Corebot, a banking trojan, Damballa reported that one involved email address appears to indicate that some stolen data is being sold on a nefarious digital marketplace.

IBM Security X-Force identified a sample of the malware that communicates with domains registered to drake.lampado777[at]gmail[.]com. Both domains appeared to be down at the time of publishing its blog post, however, Damballa noted.

The same IP address also evidently registered a new domain in July, btcshop[dot]cc. The domain serves up an online shop to buy lists of Socket Secure proxies and personally identifiable information. Primarily listed on the site are infected machines turned into proxies for “further malicious activity,” the blog post stated.

The post also draws a connection between the email address and a TVSPY Command & Control (C&C) server. Although it appears this one person might be using Corebot and TVSPY to collect personal information, it's possible it's just a single group.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS