Original Issue Date:- January 20, 2016
Virus Type:- Trojan
It has been reported that the variants of a new Trojan named as
- Steals data such as stored credentials, web money wallets etc., from compromised machines.
- Capable of monitoring and hijacking web sessions.
- Launch man-in-the-middle attacks and hooks browsers like Firefox, IE, and Chrome etc.
- Injects itself in genuine windows processes (svchost.exe) and deletes itself.
- Capable of initiating VNC sessions.
- Make network connections to send exfiltrated data to C2 server.
- Capable of downloading and installing other malicious binaries or plugins on the victim's machine.
- Use Domain Generation Algorithms (DGA) to generated C2 domains dynamically for hiding C2 communications.
Aliases: Infostealer.Corebot [Symantec], Infostealer.Corebot!g1[Symantec], Win32/Corebot [Microsoft],
Indicators of Infection
File System Changes:
On successful installation, the file system changes made by the malware are given below:
Value: "%UserProfile%\Application Data\Microsoft\[GUID]\[GUID].exe"
Malware communicates with its command and control server either to receive commands or upload exfiltrated data of the victim's machine. Some of the C2 servers are mentioned below:
- http://[generated byDGA].ddns.net
- Delete the system changes made by the malware such as files created/ registry entries /services etc.
- Monitor and block traffic generated from client machines to the domains and IP address mentioned above.
- Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
- Scan infected system with updated versions of Antivirus solution
- Disable Auto run and Auto play policies.
- Use limited privilege user on the computer or allow administrative access to systems with special administrative accounts for administrators.
- Limit or eliminate the use of shared or group accounts.
- Do not visit untrusted websites.
- Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
- Enforce a strong password policy and implement regular password changes.
- Enable a personal firewall on workstation.
- Install and scan anti malware engines and keep them up-to-date.
- Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
- Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
- Disable unnecessary services on agency workstations and servers.
- Maintain situational awareness of the latest threats; implement appropriate ACLs.