Delaware, USA – November 7, 2017 – After a two-year break, attacks using the banking Trojan Corebot are resumed. The campaign against a number of Canadian banks was discovered by researchers from Deep Instinct, who continues to analyze this malware. The attackers changed their tactics and armed the Trojan with tools to avoid detailed analysis of the malicious code. The virus is spread via spam campaign: emails contain a link to “invoice.” If a victim clicks on a link, two malicious files are downloaded and executed on her computer. After that, a scheduled task is created to ensure malware persistence. Corebot leverages webinjection and allows attackers to perform a MITM attack. Communications with C2 server occurs by sending HTTPS packets on port 443. It is noteworthy that the IP address used in this campaign was recently used to distribute another banking Trojan, Emotet, and this information allows linking this campaign to other attacks on financial institutions.
Recently, along with the emergence of new malware, adversaries return to their arsenal modified versions of Trojans and Ransomware. One of the ways to detect malicious activity in your organization is to monitor traffic flows. Spikes of HTTP, HTTPS, or DNS traffic may indicate a Trojan’s activity or data leakage. Using Netflow Security Monitor for ArcSight, QRadar and Splunk, you can always be aware of any deviations and configure receiving notifications about suspicious surges of traffic.