Cybercriminals have a large range of tools and resources to launch phishing and malware attacks against online platforms. The dark web provides fertile grounds for criminals to opening discuss methodologies and trade new malware variants, types and processes. From well-established banking malware and financial trojan, such as Dyre, ZeuS and Kronos, to more recently discovered malware, such as Shifu and CoreBot, fraudsters have a host of advanced capabilities at their disposal to help them bypass existing bank defenses.
In this article we introduce two new additions to the malware (financial trojan) clan; Corebot and Shifu.
Corebot is named after debug file string Core.pdb. It’s currently known features include:
- Steal saved passwords for Email, FTP, Web sites, etc.
- Steal information typed into Web forms
- Download and install an updated version, and/or additional malware
- Notify the bot master of active online banking sessions
- Allow takeover of Web sessions via a hidden VNC service
Corebot has been observed targeting online customer accounts of financial institutions. It achieves this end by performing web injections inside the victim’s browser. These injects are stored in a configuration file which is pushed by it’s controller, thereby creating a dynamic targeting system that can be updated at will. Additionally, it may install a virtual network computing (VNC) module, which can provide remote control for the attacker to hijack online sessions.
Shifu, Japanese for ‘thief’, was first reported targeting Japan and evolved from “Shiz” Trojan. It is likely not Japanese in origin, as it has every sign of being part of the Eastern European cybercrime scene. It borrows from Dridex, Gozi and ZeusVM.
These two new variants of financial trojan malware have not committed much cybercrime this far, however, seem to be gaining traction in fraudulent activity.
iZOOlabs provides a dedicated Malware Lab for a full range of malware analysis to provide a rapid mitigation and response from the latest malware attacks.