Win32 / Corkow banking trojan attacks Russian users
Our anti-virus laboratory detected a high activity of a complex banking malware of Russian origin, Win32 / Corkow , with which thousands of computers were infected. The first modifications of Corkow appeared in 2011, at the same time it was added to the anti-virus database. Unlike Carberp, which gained worldwide fame, Corkow did not receive the same attention from researchers or the public and was quite invisible all this time.
Like other banking malware tools such as Hesperbot, which was discovered by ESET researchers last September, Win32 / Corkow has a modular architecture. This means that attackers can extend the capabilities of this malware with the plug-ins necessary for them. Such modules or plugins provide attackers with access to confidential user data through the following features: a keylogger (keylogger), desktop screenshots, web injections, and theft of web forms data.
')
In addition to the above features, Win32 / Corkow also provides attackers with remote access to an infected computer (backdoor) and is a downloader into the system of another malicious program to steal Pony passwords (detected by ESET antivirus products like Win32 / PSW.Fareit ). Thus, with the help of this malicious program, attackers have full access to the data of the compromised user.
As shown in the diagram above, the highest number of infections is 73% in Russia, while Ukraine ranks second with 13%. It is not surprising that these countries suffered more than others, since Corkow itself is of Russian origin and contains a malicious module aimed at compromising the online banking system iBank2, which is used by Russian banks and their customers to quickly complete banking transactions. In addition, Corkow contains a module for attacking the Sberbank application, which is used for online banking.
The above screenshot shows a piece of malicious Java code that contains strings of Russian and Ukrainian languages. These lines are used in iBank2 when displaying information about the user's account balance.
Using this malicious program, attackers collect the following information on a compromised user's computer: the history of web browser visits, a list of installed applications, the time of their last use, and a list of running processes. Based on the list of applications Corkow is hunting for, it is obvious to us that attackers are interested in various applications of trading platforms, as well as applications for working with online banking.
Another interesting feature of Corkow is its orientation towards websites and the corresponding software, which is related to Bitcoin virtual currency, as well as computers that belong to Android application developers who host their applications on Google Play. Further, attackers can make unauthorized access to accounts of Bitcoin accounts of compromised users with all the ensuing consequences.
Corkow encrypts its payload using the serial number identifier of the C: drive volume, thus making it hopeless to analyze it anywhere on another computer.
Our telemetry system recorded sharp drops and rises in the activity of this malicious program from the beginning of its first detection in October 2011. In the second half of 2012, a decrease in its activity was observed, after which the activity increased again.
Perhaps the group that spread Corkow was held criminally liable, as evidenced by the prolonged decline in malware activity in the second half of 2012.
In the next part, we will publish a detailed study of this malware.
Like other banking malware tools such as Hesperbot, which was discovered by ESET researchers last September, Win32 / Corkow has a modular architecture. This means that attackers can extend the capabilities of this malware with the plug-ins necessary for them. Such modules or plugins provide attackers with access to confidential user data through the following features: a keylogger (keylogger), desktop screenshots, web injections, and theft of web forms data.
')
In addition to the above features, Win32 / Corkow also provides attackers with remote access to an infected computer (backdoor) and is a downloader into the system of another malicious program to steal Pony passwords (detected by ESET antivirus products like Win32 / PSW.Fareit ). Thus, with the help of this malicious program, attackers have full access to the data of the compromised user.
As shown in the diagram above, the highest number of infections is 73% in Russia, while Ukraine ranks second with 13%. It is not surprising that these countries suffered more than others, since Corkow itself is of Russian origin and contains a malicious module aimed at compromising the online banking system iBank2, which is used by Russian banks and their customers to quickly complete banking transactions. In addition, Corkow contains a module for attacking the Sberbank application, which is used for online banking.
The above screenshot shows a piece of malicious Java code that contains strings of Russian and Ukrainian languages. These lines are used in iBank2 when displaying information about the user's account balance.
Using this malicious program, attackers collect the following information on a compromised user's computer: the history of web browser visits, a list of installed applications, the time of their last use, and a list of running processes. Based on the list of applications Corkow is hunting for, it is obvious to us that attackers are interested in various applications of trading platforms, as well as applications for working with online banking.
Another interesting feature of Corkow is its orientation towards websites and the corresponding software, which is related to Bitcoin virtual currency, as well as computers that belong to Android application developers who host their applications on Google Play. Further, attackers can make unauthorized access to accounts of Bitcoin accounts of compromised users with all the ensuing consequences.
Corkow encrypts its payload using the serial number identifier of the C: drive volume, thus making it hopeless to analyze it anywhere on another computer.
Our telemetry system recorded sharp drops and rises in the activity of this malicious program from the beginning of its first detection in October 2011. In the second half of 2012, a decrease in its activity was observed, after which the activity increased again.
Perhaps the group that spread Corkow was held criminally liable, as evidenced by the prolonged decline in malware activity in the second half of 2012.
In the next part, we will publish a detailed study of this malware.
Source: https://habr.com/ru/post/212573/
All Articles