Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Online Shop Selling Account Data Linked to CoreBot Malware

Researchers have found a connection between the recently uncovered CoreBot malware and an online shop that specializes in selling account information associated with various websites and services.

Researchers have found a connection between the recently uncovered CoreBot malware and an online shop that specializes in selling account information associated with various websites and services.

The existence of CoreBot was brought to light in late August by researchers at IBM. The malware was initially classified as a stealer as it was designed to steal passwords stored locally by web browsers. The threat also targeted FTP clients, email clients, cryptocurrency wallets, webmail accounts, private certificates, and personal data from various desktop apps.

IBM published a follow-up report last week to state that the malware, which uses a modular plugin system to allow its creators to easily enhance its capabilities, had turned into a full-fledged banking Trojan capable of intercepting and stealing data in real time. The list of new features includes form grabbing, a VNC module, web injections, and man-in-the-middle (MitM) functionality. Experts believe the new samples were likely released following a long development and testing process.

The first versions of CoreBot identified by IBM had a domain generation algorithm (DGA) for command and control (C&C) communications, but the feature was not active and the malware had communicated with two predetermined domains: vincenzo-sorelli[.]com and arijoputane[.]com.

Researchers at Damballa have analyzed these domains and found that they were both on the same IP address and they were both registered by the same individual or group using the email address [email protected][.]com. The same IP address also hosted C&C servers for the Carberp Trojan and the TVSPY malware (also known as TVRAT, SpY-Agent or teamspy).

Damballa also discovered that the email address [email protected][.]com was used to register more than 30 other domains. One of these domains is, an online shop registered on July 30, 2015, that specializes in selling account information and Socket Secure (SOCKS) proxies.

When users register on this website, they are provided a 41-character hash that serves as both username and password for logging into BTC Shop. Customers are also assigned a Bitcoin wallet to which they have to add money when they purchase something.

When Damballa tested the shop, there were four SOCKS proxies in the US that could be purchased. At the time of writing, there is only one proxy in the United States and one in Canada.

As far as accounts are concerned, there are roughly 10,000 up for sale from more than 70 countries. The site’s creators claim to be offering accounts for websites and various types of services, including HTTP, FTP, and SSH. Damballa believes the account details sold on BTC Shop could also include personally identifiable information.

The owner of the cybercrime shop also invites product developers to sell their creations on the website for a one percent commission per sale.

While they haven’t found conclusive evidence, Damballa researchers believe the individual or group behind the “Drake Lampado” email address could be using CoreBot and TVSPY to harvest information that they sell on BTC Shop.

Kleissner & Associates, a botnet monitoring firm acquired in July by LookingGlass, told SecurityWeek that they are currently seeing up to 60 CoreBot infections per day from the botnet they are monitoring. While nearly a quarter of the infections are in the United States, the malware has also been spotted in Japan, Thailand, Congo, India, Taiwan, Vietnam, Egypt, Moldova, Russia, and the United Kingdom.

Kleissner & Associates has also analyzed the domains used for C&C communications by CoreBot. Experts say the domains were registered under the name Vladimir from Moscow, Russia. The server hosting the domains, also located in Russia, is no longer active as a web server, the security firm said.

This is not the first time the [email protected][.]com email address has been associated with cybercriminal activity. Roughly one year ago, a user reported on Reddit that an individual using this address hijacked his account on the cryptocurrency exchange Cryptsy and stole his Bitcoins.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.