Incident Response, TDR

IBM: CoreBot now ready for front line use as banking Trojan

IBM's X-Force research team has reported that the recently discovered CoreBot malware has lived up to its earlier warnings quickly transforming into a full-fledged banking Trojan that is active in the wild.

CoreBot, reported initially by X-Force on September 2, has already metastasized from a generic information swiper into a multi-faceted weapon that is targeting 33 financial institutions in the United States, Canada and the U.K. IBM credited the malware's change to its modular design that allows criminals to easily and quickly add new capabilities.

“CoreBot's modular design was very telling that it was in preparation for more plugins. It's likely that there was additional development being done to the malware happening in parallel, which contributed to CoreBot's quick upgrade,” Limor Kessem, IBM Security's cybersecurity evangelist, told SCMagazine.com in a Friday email.

So far these new abilities include browser hooking for Internet Explorer, Firefox and Google Chrome, generic real-time form grabbing, a virtual network computing module for remote control, man-in-the-middle capabilities, preconfigured URL triggers to target banks, a custom webinjection mechanism and on-the-fly webinjections from a remote server, according to the IBM report.

CoreBot is now armed with 55 URL triggers that cause it to attack the online banking sites. Once in action, CoreBot's first step is to grab the victim's credentials; the malware then uses social engineering to con the victim into disclosing personally identifiable information and then commences to take over the session, the IBM report said.

So far CoreBot has not inflicted much damage, but that could change.

“CoreBot was found and is active in the wild. Currently it is not wide spread, however, we anticipate that it will spread in the coming weeks,” Kessem explained.

While Kessem could not say for certain who are the bad actors implementing the new and improved version of CoreBot, she noted that “The registrar of domains used by CoreBot to communicate carry an Eastern European name and an email address that appears in Russian-speakers' hacking forums.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.