Incident Response, Malware, TDR

Corebot, TVSPY and shady marketplace possibly correlated

Following the discovery of Corebot, a banking trojan, Damballa reported that one involved email address appears to indicate that some stolen data is being sold on a nefarious digital marketplace.

IBM Security X-Force identified a sample of the malware that communicates with domains registered to drake.lampado777[at]gmail[.]com. Both domains appeared to be down at the time of publishing its blog post, however, Damballa noted.

The same IP address also evidently registered a new domain in July, btcshop[dot]cc. The domain serves up an online shop to buy lists of Socket Secure proxies and personally identifiable information. Primarily listed on the site are infected machines turned into proxies for “further malicious activity,” the blog post stated.

The post also draws a connection between the email address and a TVSPY Command & Control (C&C) server. Although it appears this one person might be using Corebot and TVSPY to collect personal information, it's possible it's just a single group.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.