A new variant of the banking Trojan, CoreBot, which was mainly active in the summer of 2015, has been spotted by security researchers with the new variant spreading via malicious Office documents.
A new variant of the banking Trojan, CoreBot, which was mainly active in the summer of 2015, has been spotted by security researchers.
According to a blog post by IT security firm Deep Instinct, the new variant is distributed using malicious spam emails with Office documents as attachments. The documents contained VBA scripts which users were tricked to run, leading to the payload being downloaded and executed.
“In the latest attack wave, which seems to have started 24 hours ago, spam emails notify targeted users of an invoice,” said Deep Instinct researchers Tal Leibovich and Shaul Vilkomir-Preisman.
The email contains a link (“View Invoice”) which once clicked will download an executable from hxxp://184.108.40.206/docs/Document.psk. Another URL hosted on the same IP address hxxp://220.127.116.11/folder/item.sls is spreading an EMOTET variant in the last several days. Additionally, the executable is downloaded to two locations on the victim's machine.
Upon download and execution, a scheduled task is created to run the payload and ensure its persistence. The payload process will then perform a connectivity IP check against hxxp://httpbin.org/ip, deploy encrypted configuration files and a Dynamic-Link Library (DLL) in a similar fashion to the one seen in previous versions, warned researchers.
Memory dumps from run-time reveal that the C2 domain name remains checkbox.bit and is accessed with HTTPS packets in port 443 just as in the last version. However, the domain has now moved to a different IP address – 18.104.22.168.
“The sample tries to evade analysis by checking for several processes indicating sandboxing: sbiedll.dll, api_log.dll, vmcheck.dll, and cuckoomon,” said researchers. “We are continuing to analyse the sample and investigate related infrastructure (which appears to be related to other active banking malware campaigns).”