CoreBot - Not Your Average Banking Trojan

September 18, 2015  |  Garrett Gross

Its not often that you get to observe a new malware variant as it develops in the wild, especially one that goes from simple browser credential harvester to full blown banking trojan in a matter of weeks. While it might show up during antivirus scans as a generic trojan (Dynamer!ac or Eldorado), this particularly nasty sample is referred to as ‘CoreBot’ by the security team that discovered it (IBM’s X-Force) and is anything but ‘generic’.

What makes this particularly nasty malware so deadly is its dynamic plugin architecture, giving it the ability to connect to a command and control (C&C) server, download updates, and modify itself on the fly. When researchers first discovered CoreBot, it was a seemingly basic RAT with the ability to steal credentials from web browsers’ password stores. This early-stage functionality, albeit limited, seemed to be very effective, with dropper-style delivery and an unusually complex domain generation algorithm (DGA) to help hide C&C communication. It should be noted, however, the DGA was not activated when CoreBot was first discovered.

The first encounters with CoreBot showed a malware that relied on stealing passwords and exfiltrating data saved locally but lacked advanced tools like real-time web session monitoring or hooks into specific browsers. However, the latest samples show that the malware has evolved into a fully armed and operational banking Trojan with those cutting-edge features and more. CoreBot seems to be specifically targeting banking websites with URL triggers pointing to 55 sites, mainly in the US and Canada, involving 33 of the regions’ major financial institutions.

Now behaving like a real banking trojan (think Dyre, Zeus, SpyEye), CoreBot has ability to run man-in-the-middle attacks, browser hooks into FireFox, Internet Explorer, and Chrome, and even initiate VNC sessions for complete remote control. With CoreBot possessing real-time session hijack and on demand web injection capabilities, attackers have access to any personal/financial information stored or used while browsing.

While best practice would dictate that users not log into their personal bank accounts on their work machines, it happens all the time. Even if such activity is prohibited and strictly enforced, this malware could still get in several ways: potentially via an email attachment that downloads to a users system and then pivots to machines where commercial banking happens. Here is where the plugin architecture could come into play, enabling malware developers to update CoreBot with mechanisms that would enable transfer via removable media (USB sticks, external drives) or other air gaps.

Impact on you

  • Once a machine is infected, all sensitive data can be at risk. This includes stored passwords, financial documents, or anything accessible by in-progress server/device connections.
  • Stolen passwords enable the spread of malware to other systems, especially when the same password is used across personal/corporate accounts or multiple systems.
  • This malware has the ability to adapt to environments it infiltrates and continuously update itself, lessening the impact of traditional preventive security measures.

How AlienVault Helps

AlienVault Labs continues to perform cutting edge research on threats like these, collecting large amounts of data and then creating expert threat intelligence as a result.The Labs team has already released IDS signatures and a correlation rule to the AlienVault Unified Security Management (USM) platform so customers can identify activity related to this exploit:

  • System Compromise, Trojan infection, Corebot

For further investigation into CoreBot, visit the Open Threat Exchange (OTX) and see what research members of the community have done:


Learn more about this threat intelligence update and others in our forum.

Share this with others

Tags: rat, trojan, corebot

Featured resources



2024 Futures Report

Get price Free trial