Modular CoreBot poses severe threat to data protection, privacy

The bolt-on malware highlights the evolution of malicious software designed to infiltrate systems and steal sensitive data.

ghostshellcredsymantec.jpg
Symantec
Researchers have revealed details concerning the CoreBot malware, a strain of code which can utilize bolt-on additional data theft and spying features.

It is often the case that highly sophisticated cyberattacks and malware campaigns, such as the recent data leak from Ashley Madison and attack tools including Duqu and ZeuS hit the media. However, it is the lower grade of malware, information thieves and spyware which is more often discovered in the wild -- and can therefore pose the most risk for the general public.

While there are countless strains of malicious code and digital threats -- far too many to be documented in a single article -- the evolution of a specific type of malware has caught the attention of IBM researchers.

Last week, security experts from IBM Security X-Force said the CoreBot malware, while being a lesser breed of cyberattack, contains the potential to become something far, far worse -- due to the code's inbuilt modular design. The malware's structure and internal coding allows operators to easily add new data theft and endpoint control mechanisms, which could then be used to avoid standard firewalls and further exploit users through new zero-day attacks or techniques.

Originally discovered through the analysis of Trusteer-protected enterprise endpoints, the malware uses a 'dropper' -- a file which downloads and executes on a target system -- before launching a svchost process to write the malware file to disk prior to the dropper's exit. The next stage CoreBot takes is to generate a globally unique identifier (GUID) using the CoCreateGuid API Call, which defines the malware's persistence through a Windows Registry key.

Once a system is infected, the malware is able to harvest credentials and spy upon user activity.

IBM researchers say CoreBot's modular system allows it to download plugins from the malicious code's command-and-control (C&C) server before loading them by way of the plugin's DLL. At present, the main plugin is called Stealer -- which gives the malware the capability to steal passwords saved by user browsers.

The malware searches a list including desktop applications, FTP clients, mail clients, webmail services and cryptocurrency wallets to seek out credentials and store them for sending to the C&C center.

While CoreBot is not currently able to intercept real-time Web data, if other plugins are developed and bolted on, this capability may appear in a future CoreBot evolution.

CoreBot is also able to uses Microsoft's configuration management system, Windows PowerShell, to find, download and execute additional malware sourced from the Internet. In order to update itself, the malware downloads and launches new versions of the executable file based on parameters specified by the latest version installed on the victim system.

"Although CoreBot isn't very sophisticated right now, it is still new malware designed to be easily updated, and it could evolve into a more complex threat in the near future," IBM says.

In recent news, peer-to-peer software provider BitTorrent recently mitigated a security flaw which could allow user traffic to be harnessed in order to launch distributed denial-of-service (DDoS) attacks against Internet domains.

Read on: Top picks

In pictures: