Modular Corcow banking Trojan poised for success
Posted on 12.02.2014
Banking Trojans are among the most used stealthy malware, and the most popular ones are undoubtedly Zeus, SpyEye, Citadel and Carberp.


Still, that doesn't mean there is no room on the market for others, especially when a new Trojan type is modular and, therefore, offers many more capabilities that just information-stealing via key-logging, screen-shotting, and form-grabbing.

An example of this is the Corcow Trojan. Currently targeting mostly Russian and Ukrainian users and managing to infect several hundred of them each dat, the malware is not new, but it's yet to reach the popularity of the four mentioned earlier - despite its versatility.

Corcow doubles down on password-stealing by incorporating the universal password stealer “Pony”, which goes after different types of login credentials and FTP account information.

It also contains a module set on the collection of additional data: browser history, which applications the user uses, and so on, and another that allows attackers remote access to the victims' computer.

But what does differentiate this banking Trojan from others? Firstly, the malware is on the lookout for indications that the victim is visiting websites and using software related to Bitcoin, as well as for evidence the computers might belong to an Android developer.

"Quite what the criminals behind the Corkow malware plan to do by illegally accessing victims’ Bitcoin accounts is probably obvious, but there are also sinister consequences if the login details of a legitimate Android developer were also to fall into the wrong hands," pointed out Graham Cluley.

Secondly, Corkow uses an interesting and probably quite effecting anti-analysis technique: its payload is encrypted using the Volume Serial Number of the C: drive, and if moved and run on another computer, it doesn't start behaving maliciously on it.

ESET researchers have promised to share its findings about Corcow next week, hopefully also more details on how its usually delivered to users.









Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //