Connect with us

Hi, what are you looking for?


Malware & Threats

Online Shop Selling Account Data Linked to CoreBot Malware

Researchers have found a connection between the recently uncovered CoreBot malware and an online shop that specializes in selling account information associated with various websites and services.

Researchers have found a connection between the recently uncovered CoreBot malware and an online shop that specializes in selling account information associated with various websites and services.

The existence of CoreBot was brought to light in late August by researchers at IBM. The malware was initially classified as a stealer as it was designed to steal passwords stored locally by web browsers. The threat also targeted FTP clients, email clients, cryptocurrency wallets, webmail accounts, private certificates, and personal data from various desktop apps.

IBM published a follow-up report last week to state that the malware, which uses a modular plugin system to allow its creators to easily enhance its capabilities, had turned into a full-fledged banking Trojan capable of intercepting and stealing data in real time. The list of new features includes form grabbing, a VNC module, web injections, and man-in-the-middle (MitM) functionality. Experts believe the new samples were likely released following a long development and testing process.

The first versions of CoreBot identified by IBM had a domain generation algorithm (DGA) for command and control (C&C) communications, but the feature was not active and the malware had communicated with two predetermined domains: vincenzo-sorelli[.]com and arijoputane[.]com.

Researchers at Damballa have analyzed these domains and found that they were both on the same IP address and they were both registered by the same individual or group using the email address drake.lampado777@gmail[.]com. The same IP address also hosted C&C servers for the Carberp Trojan and the TVSPY malware (also known as TVRAT, SpY-Agent or teamspy).

Damballa also discovered that the email address drake.lampado777@gmail[.]com was used to register more than 30 other domains. One of these domains is, an online shop registered on July 30, 2015, that specializes in selling account information and Socket Secure (SOCKS) proxies.

When users register on this website, they are provided a 41-character hash that serves as both username and password for logging into BTC Shop. Customers are also assigned a Bitcoin wallet to which they have to add money when they purchase something.

Advertisement. Scroll to continue reading.

When Damballa tested the shop, there were four SOCKS proxies in the US that could be purchased. At the time of writing, there is only one proxy in the United States and one in Canada.

As far as accounts are concerned, there are roughly 10,000 up for sale from more than 70 countries. The site’s creators claim to be offering accounts for websites and various types of services, including HTTP, FTP, and SSH. Damballa believes the account details sold on BTC Shop could also include personally identifiable information.

The owner of the cybercrime shop also invites product developers to sell their creations on the website for a one percent commission per sale.

While they haven’t found conclusive evidence, Damballa researchers believe the individual or group behind the “Drake Lampado” email address could be using CoreBot and TVSPY to harvest information that they sell on BTC Shop.

Kleissner & Associates, a botnet monitoring firm acquired in July by LookingGlass, told SecurityWeek that they are currently seeing up to 60 CoreBot infections per day from the botnet they are monitoring. While nearly a quarter of the infections are in the United States, the malware has also been spotted in Japan, Thailand, Congo, India, Taiwan, Vietnam, Egypt, Moldova, Russia, and the United Kingdom.

Kleissner & Associates has also analyzed the domains used for C&C communications by CoreBot. Experts say the domains were registered under the name Vladimir from Moscow, Russia. The server hosting the domains, also located in Russia, is no longer active as a web server, the security firm said.

This is not the first time the drake.lampado777@gmail[.]com email address has been associated with cybercriminal activity. Roughly one year ago, a user reported on Reddit that an individual using this address hijacked his account on the cryptocurrency exchange Cryptsy and stole his Bitcoins.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.