It has been reported that the variants of a new Trojan named as "Corebot", targeting financial institutions is spreading. The malware infects machines installed with Microsoft Windows operating systems. It propagates by means of drive- by-download attacks, email attachments and removable drives etc. Malware is capable of performing the following functions:
- Steals data such as stored credentials, web money wallets etc., from compromised machines.
- Capable of monitoring and hijacking web sessions.
- Launch man-in-the-middle attacks and hooks browsers like Firefox, IE, and Chrome etc.
- Injects itself in genuine windows processes (svchost.exe) and deletes itself.
- Capable of initiating VNC sessions.
- Make network connections to send exfiltrated data to C2 server.
- Capable of downloading and installing other malicious binaries or plugins on the victim's machine.
- Use Domain Generation Algorithms (DGA) to generated C2 domains dynamically for hiding C2 communications.
Aliases: Infostealer.Corebot [Symantec], Infostealer.Corebot!g1[Symantec], Win32/Corebot [Microsoft],
Indicators of Infection
File System Changes:
On successful installation, the file system changes made by the malware are given below:
Value: "%UserProfile%\Application Data\Microsoft\[GUID]\[GUID].exe"
Malware communicates with its command and control server either to receive commands or upload exfiltrated data of the victim's machine. Some of the C2 servers are mentioned below:
- http://[generated byDGA].ddns.net
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003