COREBOT IS MAKING A COMEBACK

Nov 1, 2017

*** We continued to analyze the sample and investigated related infrastructure (which appears to be related to other active banking malware campaigns). Read all about it in this post: A Deeper Dive Into Corebot’s Comeback ***

Deep Instinct has detected a new variant of the banking trojan, CoreBot. CoreBot is a rather sophisticated banking malware and information stealer that was mainly active in the summer of 2015. It seems that CoreBot is being spread once again with new, modified versions. In the most recent analysis relating to CoreBot, published in September, CoreBot was distributed using malicious spam emails with Office documents as attachments. The documents contained VBA scripts which users were tricked to run, leading to the payload being downloaded and executed.

In the latest attack wave, which seems to have started 24 hours ago, spam emails notify targeted users of an invoice:

The email contains a link (“View Invoice”) which once clicked will download an executable from hxxp://188.165.233.193/docs/Document.psk. Interestingly, another URL hosted on the same IP address hxxp://188.165.233.193/folder/item.sls is spreading an EMOTET variant in the last several days. Additionally, The executable is downloaded to two locations on the victim’s machine:

C:\Users\%USER%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\%Random_String%\Document[1].psk

And
C:\Users\%USER%\AppData\Local\Temp\GsY_W5dX.exe (sha256: 2f5dbbd160ab89ac3780f887c1bf4853ca89c43063d83975f59623e7590cdb9c)

Upon download and execution a scheduled task is created to run the payload and ensure its persistence. The payload process will then perform a connectivity IP check against hxxp://httpbin.org/ip, deploy encrypted configuration files and a DLL in a similar fashion to the one seen in previous versions. Memory dumps from run-time reveal that the C2 domain name remains checkbox.bit and is accessed with HTTPS packets in port 443 just as in the last version. However the domain has now moved to a different IP address – 192.99.181.10.

2

The sample tries to evade analysis by checking for several processes indicating sandboxing: sbiedll.dll, api_log.dll, vmcheck.dll, and cuckoomon.