The Lowdown on CoreBot, the Malware that Thinks it’s a Transformer

Have you heard of Modular Malware? How about CoreBot?

Modular malware is malware that can be outfitted with additional plugins to evolve and expand its data theft capabilities. CoreBot is the latest example of the mutating dangers that modular malware presents.

“There’s more than meets the eye “- Optimus Prime

CoreBot was discovered by IBM researchers in late August 2015. Upon its arrival to the malware scene, its capabilities were that of a measly password stealer.

IBM warned then that this wouldn’t be the end of it though, based on previous modular malware – they predicted that in good Megatron fashion, CoreBot would become a powerful force to be reckoned with.

Just a few days later IBM announced that their researchers found evidence that CoreBot had indeed evolved into a full-blown banking trojan. What was just a few days before a relatively unimpressive stealer is now fully capable of stealing all your banking credentials and robbing you blind.

CoreBot joins the ranks of similar high-profile banking trojans like Dyre and Zeus whose modus operandi is to steal login info and then go in for the kill by using social engineering tactics to encourage targets into revealing even more sensitive information. Banking trojans steal millions of dollars each year from personal and business accounts and now they have a new partner-in-crime who can just keep evolving to evade detection.

Once it has collected password and login data, it’s sent back to the developers where they wait for users to log into their bank. They are alerted when the target next tries to access their bank. Then while the creator also logs and accesses the victim’s login, a simple waiting screen pops up which ensures that the creator can log on in time as well. This is where the creator can merge the two sessions and change information so that any money transfers are sent to the creator and not the intended destination.

New and Improved! (…and evil)

CoreBot now contains modules for accessing Chrome, Internet Explorer and FireFox where it can eavesdrop on web browsing and steal data. It also supports Man-in-the-middle attacks, which means that the attacker secretly relays information between two parties who think that they are communicating directly with each other.

It also has a remote network module, which gives it access to networks that are supposed to be more secure than a regular network. It can also update itself to the most advanced model and can be used to install additional malware so the fun just never ends.

Okay, deep breath now.

Yes, CoreBot is scary but at the moment it’s not all that common and its progress is being carefully monitored for any advancements by IBM and other researchers.
The best defense against CoreBot and malware in general (and maybe decepticons, too) is to create an overarching environment of continuing security education and to make sure you have a strong malware blocking solution like Reason Core Security (which we are happy to report protects against CoreBot and its variants) in place.

Happy banking!

Leave a Reply