Researchers have found a connection between the recently uncovered CoreBot malware and an online shop that specializes in selling account information associated with various websites and services.
The existence of CoreBot was brought to light in late August by researchers at IBM. The malware was initially classified as a stealer as it was designed to steal passwords stored locally by web browsers. The threat also targeted FTP clients, email clients, cryptocurrency wallets, webmail accounts, private certificates, and personal data from various desktop apps.
IBM published a follow-up report last week to state that the malware, which uses a modular plugin system to allow its creators to easily enhance its capabilities, had turned into a full-fledged banking Trojan capable of intercepting and stealing data in real time. The list of new features includes form grabbing, a VNC module, web injections, and man-in-the-middle (MitM) functionality. Experts believe the new samples were likely released following a long development and testing process.
The first versions of CoreBot identified by IBM had a domain generation algorithm (DGA) for command and control (C&C) communications, but the feature was not active and the malware had communicated with two predetermined domains: vincenzo-sorelli[.]com and arijoputane[.]com.
Researchers at Damballa have analyzed these domains and found that they were both on the same IP address and they were both registered by the same individual or group using the email address [email protected][.]com. The same IP address also hosted C&C servers for the Carberp Trojan and the TVSPY malware (also known as TVRAT, SpY-Agent or teamspy).
Damballa also discovered that the email address [email protected][.]com was used to register more than 30 other domains. One of these domains is btcshop.cc, an online shop registered on July 30, 2015, that specializes in selling account information and Socket Secure (SOCKS) proxies.
When users register on this website, they are provided a 41-character hash that serves as both username and password for logging into BTC Shop. Customers are also assigned a Bitcoin wallet to which they have to add money when they purchase something.
When Damballa tested the shop, there were four SOCKS proxies in the US that could be purchased. At the time of writing, there is only one proxy in the United States and one in Canada.
As far as accounts are concerned, there are roughly 10,000 up for sale from more than 70 countries. The site’s creators claim to be offering accounts for websites and various types of services, including HTTP, FTP, and SSH. Damballa believes the account details sold on BTC Shop could also include personally identifiable information.
The owner of the cybercrime shop also invites product developers to sell their creations on the website for a one percent commission per sale.
While they haven’t found conclusive evidence, Damballa researchers believe the individual or group behind the “Drake Lampado” email address could be using CoreBot and TVSPY to harvest information that they sell on BTC Shop.
Kleissner & Associates, a botnet monitoring firm acquired in July by LookingGlass, told SecurityWeek that they are currently seeing up to 60 CoreBot infections per day from the botnet they are monitoring. While nearly a quarter of the infections are in the United States, the malware has also been spotted in Japan, Thailand, Congo, India, Taiwan, Vietnam, Egypt, Moldova, Russia, and the United Kingdom.
Kleissner & Associates has also analyzed the domains used for C&C communications by CoreBot. Experts say the domains were registered under the name Vladimir from Moscow, Russia. The server hosting the domains, also located in Russia, is no longer active as a web server, the security firm said.
This is not the first time the [email protected][.]com email address has been associated with cybercriminal activity. Roughly one year ago, a user reported on Reddit that an individual using this address hijacked his account on the cryptocurrency exchange Cryptsy and stole his Bitcoins.