It has been reported that the variants of a new Trojan named as "Corebot", targeting financial
institutions is spreading. The malware infects machines installed with
Microsoft Windows operating systems. It propagates by means of drive-
by-download attacks, email attachments and removable drives etc. Malware is
capable of performing the following functions:
- Steals
data such as stored credentials, web money wallets etc., from compromised
machines.
- Capable
of monitoring and hijacking web sessions.
- Launch
man-in-the-middle attacks and hooks browsers like Firefox, IE, and Chrome
etc.
- Injects
itself in genuine windows processes (svchost.exe) and deletes itself.
- Capable
of initiating VNC sessions.
- Make
network connections to send exfiltrated data to C2 server.
- Capable
of downloading and installing other malicious binaries or plugins on the
victim's machine.
- Use
Domain Generation Algorithms (DGA) to generated C2 domains dynamically for
hiding C2 communications.
Aliases: Infostealer.Corebot [Symantec],
Infostealer.Corebot!g1[Symantec], Win32/Corebot [Microsoft],
Indicators of Infection
File System Changes:
On successful installation, the file system changes made by the malware are given below:
Path:%UserProfile%\Application Data\Microsoft\[GUID]\[GUID].exe
Indicators of Infection
File System Changes:
On successful installation, the file system changes made by the malware are given below:
Path:%UserProfile%\Application Data\Microsoft\[GUID]\[GUID].exe
Registry
changes:
KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[GUID]"
Value: "%UserProfile%\Application Data\Microsoft\[GUID]\[GUID].exe"
KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[GUID]"
Value: "%UserProfile%\Application Data\Microsoft\[GUID]\[GUID].exe"
Network
Connections:
Malware communicates with its command and control server either to receive commands or upload exfiltrated data of the victim's machine. Some of the C2 servers are mentioned below:
Malware communicates with its command and control server either to receive commands or upload exfiltrated data of the victim's machine. Some of the C2 servers are mentioned below:
- vincenzo-sorelli[dot]com
- http://[generated
byDGA].ddns.net
Countermeasures:
- Delete
the system changes made by the malware such as files created/ registry
entries /services etc.
- Monitor
and block traffic generated from client machines to the domains and IP
address mentioned above.
- Set
Internet and Local intranet security zone settings to "High" to
block ActiveX Controls and Active Scripting in these zones
- Scan
infected system with updated versions of Antivirus solution
- Disable
Auto run and Auto play policies.
- Use
limited privilege user on the computer or allow administrative access to
systems with special administrative accounts for administrators.
- Limit
or eliminate the use of shared or group accounts.
- Do
not visit untrusted websites.
- Do
not download or open attachment in emails received from untrusted sources
or unexpectedly received from trusted users.
- Enforce
a strong password policy and implement regular password changes.
- Enable
a personal firewall on workstation.
- Install
and scan anti malware engines and keep them up-to-date.
- Isolate
compromised computers quickly to prevent threats from spreading further.
Perform a forensic analysis and restore the computers using trusted media.
- Configure
your email server to block or remove email that contains file attachments
that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif
and .scr files.
- Disable
unnecessary services on agency workstations and servers.
- Maintain
situational awareness of the latest threats; implement appropriate ACLs.
0 comments:
Post a Comment