Security researchers have discovered the sophisticated banking trojan CoreBot is making a comeback to target online banking customers via phishing emails. The nefarious CoreBot trojan was mainly active during the summer of 2015.
However, researchers at Deep Instinct noticed a new, modified variant of the malware is being distributed via malicious spam emails with Microsoft Office documents attached.
"The documents contained VBA scripts which users were tricked to run, leading to the payload being downloaded and executed," Deep Instinct researchers Tal Leibovich & Shaul Vilkomir-Preisman said in a blog post on Wednesday (1 November), noting that the latest campaign seemed to have begun on Tuesday.
The phishing email appears to thank the user for their "propt payment" and contains a "View Invoice" link that once clicked initiates the download of the malicious payload. It is also able to evade detection by checking for several processes that indicate sandboxing.
Researchers said initial analysis of the new CoreBot variant seemed to suggest that it is related other active banking malware campaigns. However, they did not specify which campaigns to which it could be linked.
The creators of the CoreBot malware also seem to have shifted the command and control domain server to a different IP address since the last campaign. According to ZDNet, the IP addresses delivering the malware seem to be based in France and Canada.
Customers of several Canadian banking websites including TD, Des-Jardins, RBC, Banque National and Scotia Bank have been targeted with phishing emails carrying the new malicious payload designed to steal their credentials, ZDNet reports.
"To make an old attack like CoreBot effective again, you simply have to make changes to the key indicators of compromise that would give it away," Tony Rowan, chief security consultant at SentinelOne, told SC Media UK. "Modify the code so that the signature is different (trivial), improve its detection avoidance and change its command and control structure. That all requites some work but it is minor compared to a completely new attack development."
He also noted that hackers often refurbish old malware code to include new evasion techniques, new C&C structure and more rather than create new malicious software from scratch.
"If it worked before, why not again?" he said. "It's much easier and cheaper than building a new attack from the ground up," he said. "This is business as usual for the attackers. We are seeing hundreds of thousands of unique 'new' malware each day. These aren't really new. They are variants of previous ones."