4.Sep.2015 at 4 | Peter Kleissner
A week ago our colleagues at IBM published a blog post about a new stealer named “CoreBot”. The post points out that CoreBot has a modular plugin system, is capable of stealing private information including certificates and has a DGA (domain generation algorithm) implemented. We got our hands to 4 different samples and analyzed them.
We added CoreBot to Virus Tracker by sinkholing a domain that is being generated by the DGA. 2 hours after sinkholing, we only observed 9 infections of CoreBot – with 56% (5 infections) being in the US. The IBM post indicated that the DGA might generate domains for different zones and botnets – we will do more research and update this blog post as soon as we have more results.
These are the actual infections:
During analysis in different samples we discovered these C&C URLs (same as IBM found). At time of analysis none of them were active.
http://arijoputane.com/ldr/client.php (sample SHA1 40975FE97341059D319207484175EFBE89212491) http://vincenzo-sorelli.com/ldr/client.php?family=bank Both were registered by the same handle: Registry Registrant ID: Registrant Name: Vladimir Registrant Organization: Bars Registrant Street: 6002 WOOD BYU Registrant City: Moscow Registrant State/Province: Moscow Registrant Postal Code: 093221 Registrant Country: RU Registrant Phone: +790.62728977 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: email@example.com
The domains were registered on 7/24/2015 (vincenzo-sorelli.com) and 4/4/2015 (arijoputane.com), suggesting that this particular CoreBot campaign was active at least a few months until discovery. Both were pointing to IP 188.8.131.52, a server in Russia. At time of analysis this server is no longer active as web server.
A reverse lookup shows that firstname.lastname@example.org appears in at least 31 domains as whois registrant. Some domains date back as early as March 2014. Googling that email reveals an interesting comment at Reddit, claiming a guy behind that email hacked a user and stole 3.5 BTC (at the current exchange rate worth 808 USD):
"YEP I JUST got hacked ON CRYPTSY.com by EMAIL email@example.com HE HACKED ME changed my email and pw while I was on it and nothing I could do... Stole about 3.5BTC from me"
One domain affiliated to the same email ihave5kbtc.org, was registered 3/27/2014 and was used by a Trojan (sample SHA1 c8a7c1788b061236a6a7aa6a9be8d912d9546936) as C&C.
The sample SHA1 60A55ED53703DC7EA7DF8429DE90F0D5D0652AD5 is the actual core Trojan. After starting, it moves itself to a sub-directory of %AppData% and puts itself into a Run key into the registry for automatic startup:
The malware will launch a svchost.exe (and subsequent dllhost.exe) process where it will inject itself:
The domain generation algorithm:
Resources about the project source extracted:
Paths to source code: tests\botserv_verify_tests.cpp tests\dga_tests.cpp tests\dns_resolver_tests.cpp tests\inject_tests.cpp tests\misc_tests.cpp PDB (debug symbol database) and other paths: C:\work\itco\core\bin\x86\Release\core.pdb (sample SHA1 60A55ED53703DC7EA7DF8429DE90F0D5D0652AD5) C:\work\itco\core\bin\x86\Release\dropper.pdb (sample SHA1 40975FE97341059D319207484175EFBE89212491) c:\work\itco\fabric\config1.dat c:\work\itco\fabric\config1.dat.plain File paths referring to the temp path: C:\tmp\test.txt C:\tmp\u1.txt C:\tmp\u2.txt Elements of the "core" structure: core.interval core.urls core.server_sign core.server_sign core.url core.safe_mode core.dga core.dga.key_fingerprint core.dga.zones core.dga.group core.dga.domains_count core.server_key core.family core.guid core.sess_id core.service core.svchost core.no_install core.work_dir core.create_time core.last_start core.run_count core.starter_file core.pid core.heartbeat core.restart_plugins core.plugins_folder