IBM: CoreBot malware – simple but dangerous info stealer

IBM's X-Force research team has uncovered a new piece of data-swiping malware whose modular design allows it to be quickly altered and made even more dangerous.

CoreBot's main threat is its ability to steal passwords stored in the endpoint's browser in areas such as webmail accounts, ewallets, private certificates and other personal data sources. Even though CoreBot is described as a generic information swiper, the IBM team said it considered it quite dangerous and capable of inflicting a great deal of harm.

“Generic malware is frequently the sort of Trojan that harvests passwords indiscriminately, which ends up compromising a broader set of the user's personal accounts, including bank account credentials, email and e-wallets," the IBM report stated. "When they land on an enterprise endpoint, information stealers gather email credentials, software keys and anything else saved on that drive that can be interesting to attackers. On top of that, it can download and execute other malware at will."

CoreBot is installed via a dropper and when executed launches a svchost process to write and launch the malware, at which point the dropper exits the computer.

In CoreBot's case the danger is magnified by the malware's modular design. The X-Force report noted this enables it to be easily upgraded with new theft capabilities.

Defending against CoreBot and other malware is a long shot and IBM recommended limiting its exposure through employee awareness - in other words, they be educated to not open suspicious email - and defensive software that can stop malware at the exploitation and launch stages.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.