Corebot banking trojan returns - after modifying indicators of compromise

News by Rene Millman

A new variant of the banking Trojan, CoreBot, which was mainly active in the summer of 2015, has been spotted by security researchers with the new variant spreading via malicious Office documents.

A new variant of the banking Trojan, CoreBot, which was mainly active in the summer of 2015, has been spotted by security researchers.

According to a blog post by IT security firm Deep Instinct, the new variant is distributed using malicious spam emails with Office documents as attachments. The documents contained VBA scripts which users were tricked to run, leading to the payload being downloaded and executed.

“In the latest attack wave, which seems to have started 24 hours ago, spam emails notify targeted users of an invoice,” said Deep Instinct researchers Tal Leibovich and Shaul Vilkomir-Preisman.

The email contains a link (“View Invoice”) which once clicked will download an executable from hxxp:// Another URL hosted on the same IP address hxxp:// is spreading an EMOTET variant in the last several days. Additionally, the executable is downloaded to two locations on the victim's machine.

Upon download and execution, a scheduled task is created to run the payload and ensure its persistence. The payload process will then perform a connectivity IP check against hxxp://, deploy encrypted configuration files and a Dynamic-Link Library (DLL) in a similar fashion to the one seen in previous versions, warned researchers.

Memory dumps from run-time reveal that the C2 domain name remains checkbox.bit and is accessed with HTTPS packets in port 443 just as in the last version. However, the domain has now moved to a different IP address –

“The sample tries to evade analysis by checking for several processes indicating sandboxing: sbiedll.dll, api_log.dll, vmcheck.dll, and cuckoomon,” said researchers. “We are continuing to analyse the sample and investigate related infrastructure (which appears to be related to other active banking malware campaigns).”

Tony Rowan, chief security consultant at SentinelOne, told SC Media UK that threat actors routinely re-use old code. “If it worked before, why not again? It's much easier and cheaper than building a new attack from the ground up,” he said. “This is business as usual for the attackers. We are seeing hundreds of thousands of unique "new" malware each day. These aren't really new. They are variants of previous ones.”

“To make an old attack like CoreBot effective again, you simply have to make changes to the key indicators of compromise that would give it away. Modify the code so that the signature is different (trivial), improve its detection avoidance and change its command and control structure. That all requites some work but it is minor compared to a completely new attack development,” said Rowan.

He added that relying on legacy prevention security systems doesn't work.

“The answer is to apply a full security approach that includes prevention, detection, automatic mitigations and of course the forensic tools to investigate what has happened so that you can determine if any further remediation actions are required,” said Rowan.

“Ideally you would also include security assurance that can confirm that a particular threat is or is not present on your estate. Gartner is suggesting that all of this should be done in a converged platform and that's something I fully support as an approach.”

Bogdan Botezatu, senior e-threat analyst at Bitdefender, told SC Media UK that banking malware is currently the third easiest threat to monetise after ransomware and digital currency miners.

“Bitdefender is closely monitoring this space and we can confirm that Banker malware is once again on the rise, as older families such as Corebot, Qbot and Terdot re-emerge with upgraded capabilities. Banker malware is usually active in areas where simpler, less-risky malware such as ransomware does not monetise well (either because users would rather start from scratch or because they have been well educated to take proactive measures),” he said.

“Initially, CoreBot started as a multi-purpose tool capable of providing backdoor access as well as an easy way to steal private information from the victim, but because of its modular architecture, it can develop new features and run any type of attack its operators need. Occasionally, botnet operators close affiliate deals with creators of other types of malware to deploy the latter's threats in exchange for a fee.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews