Morphing malware is growing up
Morphing malware is growing up

Just a few weeks ago, the CoreBot Trojan was happily causing mischief as a login credential stealer. Now it has turned into a fully fledged bank robber instead. As malware goes modular and starts morphing, investigates the threat...

Back at the start of the month, was warning that IBM had discovered CoreBot used a modular design that gave it the ability to be quickly altered and potentially made all the more dangerous. That prediction has borne fruit, and the malware has morphed from a pretty generic (modular design apart) and boring credential swiper into a multi-faceted bank robbing weapon. It's already targeting banks and other financial institutions across the US and UK, and the speed at which it has changed tack would suggest that there was a parallel development process going on from the get go. CoreBot could be the start of something big, something rather nasty.

What it isn't, is something altogether new. Wind back four years and the Sunspot Windows malware also morphed from being a general purpose threat through the use of plug-ins to become a financial fraud platform of some repute. Perhaps the most infamous of the morphing and modular malware platforms would be Game Over/Zeus which was taken down last year by a coordinated effort between law enforcement and security vendors. "The core functionality was a banking Trojan" Andrew Conway, a security analyst at Cloudmark explains "but it had other installable modules including Cutwail for sending spam, and Cryptolocker ransomware. Even the notorious Conficker worm, first detected in 2008, had a mechanism for downloading other forms of malware and indeed updating itself with new capabilities."

Indeed, truth be told, malware with separate plug-ins for different functionality is a relatively common concept. "The use of modular frameworks for malware seems to have gained popularity around 2003 while the penetration testing communities built such tools" says Aaron Shelmire, senior threat researcher at ThreatStream Labs, continuing "it caught on in the cyber-crime world in 2005-2007, and appears to have been used in government espionage-style attacks as early as 2001-2003." Indeed, some would say that CoreBot isn't technically morphing malware at all, but rather malware with a plug-in framework for additional flexibility. True morphing malware, or polymorphic malware as it is correctly known, is more likely to use the ability to change itself through simple filename changes or more complex variable key encryption techniques in order to prevent detection and has been around since the 1990s.

However, as Bromium's principal systems engineer, Fraser Kyne, told "morphing malware and a plug-in design shows a desire to develop toolkits which are extensible and can easily adapt to changing requirements to be useful in a variety of ways to attackers. This approach proves, yet again, that malware writers have the upper hand – and attempts to detect what they are up to are largely futile; unless you consider after-the-fact analysis valuable. Which is not much use if your IP is gone though." And TK Keanini, CTO at Lancope, reckons it speaks of "criminals making use of software engineering" which in some cases "is better designed for adaptation than non-malware software." Keanini is remarkably candid when he tells us that he is "always amazed by the innovation of our adversary; they are talented and, more importantly, making money which finds more resources."

CoreBot certainly looks capable of making money, that's for sure. Steve Pao, general manager of security at Barracuda Networks puts the threat it poses down to "the easy availability of crypting services and self-modifying code which make common malware code undetectable by known virus signature scanning engines."

So just how much of a threat is it? "This is the sort of stuff we have been dealing with for some time, and there are several ways to address this type of malware attack without reference to the executable itself" Andrew Conway told us, "preventing infection, interdicting the command and control (C2) infrastructure, and monitoring your system for malicious activity." Most infections start off with either a spam email or a visit to a malicious web site. Good spam filtering and use of filtering at the DNS and browser level can prevent many of these risks. You should also always keep your operating system, browser, and other software up to date with the latest patches. Getting the basics right goes a long way to mitigating even the most technically clever and seemingly complex threats after all.

Not that Conway is that enamoured by the so-called complexity of CoreBot which he describes as having "a fairly unsophisticated C2 system, with hard coded domain names and a domain generation algorithm (DGA) which is not turned on yet." That said, he does expect to see it develop a more sophisticated C2 infrastructure over time, with multiple redundant channels of communication to make it harder to detect and attack. "We see malware using the Tor network for C2, or using data from the news or weather as a seed for the DGA to prevent future domains being predicted" Conway concludes.

One thing we can all agree on, it seems, is that modular malware indicates a more structured and professional development process, which is why it is usually associated with organised, well-financed APT groups. "If we are indeed seeing a rise in the number of cases where cyber-criminals are using it" warns Tom Court, a cyber-crime researcher at Alert Logic, then "this reinforces the view that their methods are evolving and becoming more advanced." The convenience factor of modular malware cannot be overstated, and that could mean we see CoreBot (or variants of it) up for sale on the dark market soon enough.

Indeed, John Miller, manager of ThreatScape Cyber Crime at iSIGHT Partners, says that this type of modular malware design has is becoming the default approach for cyber-crime vendors offering products with multiple functionality. "If a given Trojan can (1) perform general keylogging, (2) steal credentials entered in website forms, (3) send spam emails, and (4) give the operator remote control of infected machines" Miller said "the malware provider might give his criminal clients the option to select any or all of those modules for the build they receive. From a client's perspective, that makes the product less cumbersome and costly." Luckily, Court sees compromise coming with convenience and that means plug-and-play malware may carry something of a high price tag. "Malware of any type is only effective until it is detected and with modular malware" Court said, speaking to, "if a generic component is detected it could reveal a whole host of related malware that makes use of it."