Just last month, Security Intelligence warned about a new and modular Trojan called CoreBot, indicating its internal structure suggested a new threat about to evolve.

CoreBot’s developers did not wait long. Within a matter of days, new samples of CoreBot, discovered and analyzed by IBM X-Force researchers, revealed that the malware has become a full-fledged banking Trojan — almost overnight. This seemingly quick evolution is most likely due to a longer development and testing phase that just recently ended.

What has been added to CoreBot to become a banking Trojan? In short:

• Browser hooking for Internet Explorer, Firefox and Google Chrome;
• Generic real-time form-grabbing;
• A virtual network computing (VNC) module for remote control;
• Man-in-the-middle (MitM) capabilities for session takeover;
• Preconfigured URL triggers to target banks;
• A custom webinjection mechanism;
• On-the-fly webinjections from a remote server.

Learn more about Staying ahead of threats with global threat intelligence

CoreBot’s Targets

CoreBot now comes with a list of 55 URL triggers that launch it into action. All triggers are online banking sites in the U.S., Canada and the U.K. The triggers include the corporate banking, business banking and private banking pages of 33 target financial institutions.

CoreBot’s configuration file appears to be using a trigger format that is very similar to Dyre’s, where not all URLs are very precise. Rather, the triggers are written in regular expressions (RegEx) format, which helps the Trojan fixate on URL patterns and thus target a wider array of financial institutions that use the same electronic banking platforms.

CoreBot’s New Financial M.O.

With its new theft mechanisms, CoreBot has a new modus operandi. Instead of only stealing stored passwords, it now acts like other banking Trojans such as Zeus, Dyre and Dridex:

• To begin, CoreBot grabs the victim’s credentials.
• It displays social engineering to manipulate the victim into divulging more information/personally identifiable information (PII).
• The Trojan alerts the fraudster to get online once a session has been authenticated.
• The malware displays a wait notice to stall the victim while the fraudster connects to the endpoint via VNC and takes the session over.

• At this point, the fraudster can use the session cookie to merge into the same Web session and take over to initiate a transaction or modify the parameters of an existing transfer. The money is subsequently sent to an account the fraudster controls.

Browser Hooking

In its previous version, CoreBot was only defined as an information stealer because it did not possess the capabilities that would enable it to steal username and password combinations in real time from the victim’s browser. This has changed, and CoreBot now hooks the three most popular browsers — Google Chrome, Mozilla Firefox and Internet Explorer — to be able to monitor browsing, steal data and apply webinjections.

Some of CoreBot’s hooks are:

Hooked Functions in Chrome

– WS2_32!closesocket

– WS2_32!connect (+0xcd1)

– WS2_32!WSASend (+0x1fe9)

– WS2_32!WSAConnect (+0x52f4)

– WS2_32!WSAConnectByList (+0xf5cd)

– WS2_32!WSAConnectByNameW (+0x552)

– WS2_32!WSAConnectByNameA (+0x387)

– CRYPT32!CertGetCertificateChain

– CRYPT32!CertVerifyCertificateChainPolicy (+0x21df)

– mswsock!MSAFD_ConnectEx

Hooked Functions in Firefox

– nss3!CERT_VerifyCertificate

– CRYPT32!CertGetCertificateChain

– WS2_32!closesocket

– WS2_32!WSASend (+0x1fe9)

– WS2_32!WSAConnect (+0x52f4)

– WS2_32!send (+0x92d)

– WS2_32!WSAConnectByList (+0xf5cd)

– WS2_32!WSAConnectByNameW (+0x552)

– WS2_32!WSAConnectByNameA (+0x387)

Hooked Functions in IE

– WS2_32!closesocket

– WS2_32!connect (+0xcd1)

– WS2_32!WSASend (+0x1fe9)

– WS2_32!WSAConnect (+0x52f4)

– WS2_32!send (+0x92d)

– WS2_32!WSAConnectByList (+0xf5cd)

– WS2_32!WSAConnectByNameW (+0x552)

– WS2_32!WSAConnectByNameA (+0x387)

– CRYPT32!CertGetCertificateChain

– CRYPT32!CertVerifyCertificateChainPolicy (+0x21df)

Generic Form-Grabbing

Since it has the relevant browser’s functions hooked, CoreBot can begin grabbing form data sent in HTTP requests. The Trojan waits for the victim to hit the login button and steals the entire HTTP post request, similar to the way the Dyre Trojan grabs the same data. The request contains the URL from which it was stolen, the username and password entered by the victim, the victim’s user agent string and some parameters the Trojan transmits to its operator about cookies.

This grabbing is generic in nature, hence it steals any authentication credentials entered on the browser. These include access to banks and any other Web resources the victim might access (webmail, online wallets and social networks, to name a few).

New MitM Plugin

CoreBot’s modular structure was constructed with additional plugins in mind. After the first stealer plugin for the theft of stored passwords, CoreBot now has a new MitM plugin, named mk1.pdb. CoreBot’s operator uses this capability to take over post-login online banking session.

‘Ping’ the Fraudster!

In order to be online at the same time as the victim, CoreBot’s operators use a manual MitM attack scenario. They have programmed the malware to alert them with an instant message as soon as a specific bot comes online so that they can be ready to take the session over.

Along with CoreBot’s alert, the malware counts the number of times the same bot initiated a banking session and presents the new total to the fraudster. For example: “sess_id”:15.

This alert to the fraudster is part of a familiar manual MitM attack scenario used often in previous years when account takeover became more challenging. When blocked by detection that relied on IP addresses, device ID, user agent strings or device fingerprints, fraudsters opted for this manual intervention in order to attempt fraud from the original device. It is still used today by fraudsters to bypass device-based security.

Stay ahead of threats with global threat intelligence and automated protection

Virtual Network Computing

VNC is a popular Trojan plugin, and CoreBot now possesses one of its own. While VNC is not inherently malicious, many fraudsters use these graphical desktop sharing systems to remotely control infected endpoints and abuse them for spam, proxying Web traffic and fraudulent transactions.

CoreBot uses a Hidden VNC bot called hVNC as a plugin to remotely control endpoints while remaining invisible to the user. This module was allegedly created by the Zeus Trojan’s author, used by the Carberp Trojan, as well. The Hidden VNC opens another instance of the desktop, where the fraudster can move around freely yet be on the same device as the victim.

In CoreBot’s case, it appears that the VNC is also used to take over the webcam, but the meaning of “webcam” in this sense is not entirely clear. This could either mean the fraudster is checking if the victim is on the PC via the webcam, which is something remote-access tool (RAT) malware like BlackShades was infamous for. Or it could relate to a cam that records videos of the desktop in the same manner the Carbanak gang did in order to get familiar with more banking systems through watching victims operate them.

Custom Webinjection Mechanism

CoreBot contains triggers that launch webinjections of social engineering content to harvest data from the victim in order to conduct fraudulent transactions. The injection mechanism itself was surprisingly not borrowed from other malware, but is custom-made code that CoreBot’s author programmed.

Beyond the more typical injections designed for credential theft from infected customers of each targeted bank, CoreBot has a more intent focus on five major Canadian banks. In the case of these banks, CoreBot activates on-the-fly injections that are not saved locally in the configuration file, fetching them from a remote webinjection server.

This method is considered more advanced, and it is used today by malware like Dyre, Shifu and Dridex, for example. The purpose of a just-in-time injection is to conceal it from the eyes of security researchers, to quickly switch the injection when banks change the transaction authorization challenges they present customers with and to interact with victims more effectively in real time.

What’s Next for CoreBot?

After the changes CoreBot has seen of late, this malware should be considered a banking Trojan like any other. While it is not as widely distributed as other malware of this sort, it is only a matter of time before it starts appearing in malware campaigns designed to infect users in its target geographies.

Another point to keep in mind is that CoreBot is an active project that is in current development. It is likely we may learn more about new capabilities in the coming months and see it targeting other regions around the world. At this time, CoreBot is not being sold in the underground, but that, too, could change.

Fighting CoreBot

With IBM Security Trusteer solutions, financial organizations benefit from access to a real-time malware intelligence network that provides insight into fraudster techniques and capabilities — like the evolution of CoreBot into a banking Trojan, for example.

This global threat intelligence serves as the foundation for IBM Security Trusteer automated threat protection capabilities and is used by IBM Security experts to help develop and deliver new protections for organizations like yours.

At IBM, a research and development (R&D) team of security experts scrutinizes threat intelligence as it arrives. IBM Security Trusteer solutions use this intelligence to deliver flexible protection layers that can be rapidly configured and updated by IBM R&D staff. As a result, shortly after new threats emerge or mutate, new protections are automatically deployed back into Trusteer software without any intervention by bank security staff and without any noticeable impact to banking customers.

To keep up to date about CoreBot and other malware join the IBM X-Force Exchange platform.