Big Blue bops modular menace
CoreBot infant could grow to painful teenager
IBM threat researcher Limor Kessem has found a new modular malware credential stealer that could become a significant enterprise threat.
The malware dubbed CoreBot is an advanced tool currently a credential harvester that operates with sophisticated plugins designed to allow VXers to add extra functionality and offensive security capabilities.
Kessem and fellow X-Force researchers found the malware hitting enterprises stealing credentials en masse.
"While CoreBot may appear artless at first glance, without real-time theft capabilities, it is more interesting on the inside," Kessem says.
"When it comes to generic malware, many believe it is less targeted and therefore less damaging than more elaborate malcode. In reality, the opposite is true.
"When they land on an enterprise endpoint, information stealers gather email credentials, software keys and anything else saved on that drive that can be interesting to attackers. On top of that, it can download and execute other malware at will."
CoreBot's modular nature and capabilities put it above the malware rabble in terms of sophistication.
It is capable of generating dynamic domain names based on the region of a victim, helping exfiltrated traffic to avoid detection as anomalous and avoiding the risk that those command and control boxes will be identified before they are operational.
The modular system downloads plugins from the command-and-control servers after persistence is achieved Its current password stealer raids browser password stores as it cannot yet steal logins in real time. It also steals data from FTP and mail clients, empties cryptocurrency wallets, and nicks other personal application data and private certificates.
It can as most other net pests download and run additional malware.
IBM says staff security training is the best way to combat the threat. ®
Sponsored: Go beyond APM with real-time IT operations analytics