CoreBot: A closer look

A week ago our colleagues at IBM published a blog post about a new stealer named “CoreBot”. The post points out that CoreBot has a modular plugin system, is capable of stealing private information including certificates and has a DGA (domain generation algorithm) implemented. We got our hands to 4 different samples and analyzed them.

We added CoreBot to Virus Tracker by sinkholing a domain that is being generated by the DGA. 2 hours after sinkholing, we only observed 9 infections of CoreBot – with 56% (5 infections) being in the US. The IBM post indicated that the DGA might generate domains for different zones and botnets – we will do more research and update this blog post as soon as we have more results.

CoreBot 1

These are the actual infections:

CoreBot Infections

During analysis in different samples we discovered these C&C URLs (same as IBM found). At time of analysis none of them were active.

http://arijoputane.com/ldr/client.php                       (sample SHA1 40975FE97341059D319207484175EFBE89212491)
http://vincenzo-sorelli.com/ldr/client.php?family=bank

Both were registered by the same handle:

Registry Registrant ID: 
Registrant Name: Vladimir
Registrant Organization: Bars
Registrant Street: 6002 WOOD BYU   
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 093221
Registrant Country: RU
Registrant Phone: +790.62728977
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: drake.lampado777@gmail.com

The domains were registered on 7/24/2015 (vincenzo-sorelli.com) and 4/4/2015 (arijoputane.com), suggesting that this particular CoreBot campaign was active at least a few months until discovery. Both were pointing to IP 62.76.41.51, a server in Russia. At time of analysis this server is no longer active as web server.

A reverse lookup shows that drake.lampado777@gmail.com appears in at least 31 domains as whois registrant. Some domains date back as early as March 2014. Googling that email reveals an interesting comment at Reddit, claiming a guy behind that email hacked a user and stole 3.5 BTC (at the current exchange rate worth 808 USD):

"YEP I JUST got hacked ON CRYPTSY.com by EMAIL drake.lampado777@gmail.com HE HACKED ME changed my email and pw while I was on it and nothing I could do... Stole about 3.5BTC from me"

One domain affiliated to the same email ihave5kbtc.org, was registered 3/27/2014 and was used by a Trojan (sample SHA1 c8a7c1788b061236a6a7aa6a9be8d912d9546936) as C&C.

Technical Analysis

The sample SHA1 60A55ED53703DC7EA7DF8429DE90F0D5D0652AD5 is the actual core Trojan. After starting, it moves itself to a sub-directory of %AppData% and puts itself into a Run key into the registry for automatic startup:

CoreBot Autostart

The malware will launch a svchost.exe (and subsequent dllhost.exe) process where it will inject itself:

CoreBot Launch

CoreBot Monitored

The domain generation algorithm:

CoreBot DGA

Resources about the project source extracted:

Paths to source code:
tests\botserv_verify_tests.cpp
tests\dga_tests.cpp
tests\dns_resolver_tests.cpp
tests\inject_tests.cpp
tests\misc_tests.cpp

PDB (debug symbol database) and other paths:
C:\work\itco\core\bin\x86\Release\core.pdb      (sample SHA1 60A55ED53703DC7EA7DF8429DE90F0D5D0652AD5)
C:\work\itco\core\bin\x86\Release\dropper.pdb   (sample SHA1 40975FE97341059D319207484175EFBE89212491)
c:\work\itco\fabric\config1.dat
c:\work\itco\fabric\config1.dat.plain

File paths referring to the temp path:
C:\tmp\test.txt
C:\tmp\u1.txt
C:\tmp\u2.txt

Elements of the "core" structure:
core.interval
core.urls
core.server_sign
core.server_sign
core.url
core.safe_mode
core.dga
core.dga.key_fingerprint
core.dga.zones
core.dga.group
core.dga.domains_count
core.server_key
core.family
core.guid
core.sess_id
core.service
core.svchost
core.no_install
core.work_dir
core.create_time
core.last_start
core.run_count
core.starter_file
core.pid
core.heartbeat
core.restart_plugins
core.plugins_folder