Infosec pros are being warned about a new banking Trojan which is linked to an online store that may be collecting and selling personal information gathered by the malware.
The link was made Wednesday by researchers at Damballa, an Atlanta-based threat protection vendor, who leveraged the discovery of what is called the Corebot malware by IBM’s Security X-Force to probe two domains registered to a particular gmail address. That address, Damballa discovered was used to register over 30 domains, three of which host malware command and control systems.
One of the other domains, though, called btcshop, buys lists of Socket Secure (socks) proxies and personally identifiable information, the blog says. The lists of proxies are usually infected machines turned into a socks proxy to be used for further malicious activity. Several malware families have the capability to turn an infected machine into a socks proxy, the blog notes.
“We were able to link the online shop to a person on a forum using the handle btcshop and using the Jabber account [email protected],” Damballa said in its post. “This person may or may not be running Corebot and TVSPY a way to collect personally identifiable information for sale in his online shop.” However, the post adds, it would be convenient for the same person or a small group of people to be running malicious domains registered under the gmail account and also running btcshop to sell their collected wares.
More evidence is needed to definitively say that people behind the gmail account and the Jabber account are the same, it adds.
The lists of proxies are usually infected machines turned into a socks proxy to be used for further malicious activity. Several malware families have the capability to turn an infected machine into a socks proxy, Damballa notes. But this particular show apparently makes easy to buy bots.
The blog includes a list of domains registered using the suspect email address that CISOs can use in their blacklists.
When IBM initially wrote about its discovery of Corebot last month, it said the code steals passwords held in browsers and warned it “is one malware piece to watch out for. CoreBot appears to be quite modular, which means that its structure and internal makeup were programmed in a way that allows for the easy adding of new data theft and endpoint control mechanisms.”
Within days of that report, however, IBM said Corebot had evolved into a full banking Trojan with 55 URL triggers aimed at online banking sites in Canada the U.S. and the U.K. The triggers include the corporate banking, business banking and private banking pages of 33 target financial institutions.
CoreBot grabs the victim’s credentials, uses social engineering to manipulate the victim into divulging more personally identifiable information, alerts the attacker to get online once a session has been authenticated and then displays a wait notice to stall the victim while the fraudster connects to the endpoint via VNC and takes over the session. The attacker can then use the session cookie to merge into the same Web session and take over to initiate a transaction or modify the parameters of an existing transfer. The money is subsequently sent to an account the fraudster controls.
“While it is not as widely distributed as other [financial] malware of this sort, it is only a matter of time before it starts appearing in malware campaigns designed to infect users in its target geographies,” IBM [NYSE: IBM] says.
“Another point to keep in mind is that CoreBot is an active project that is in current development. It is likely we may learn more about new capabilities in the coming months and see it targeting other regions around the world. At this time, CoreBot is not being sold in the underground, but that, too, could change.”