February 14, 2014 at 12:40Win32 / Corkow banking Trojan attacks Russian users
Our anti-virus laboratory detected the high activity of a complex banking malware of Russian origin Win32 / Corkow , with the help of which thousands of computers were infected. The first modifications of Corkow appeared back in 2011, then it was added to the anti-virus database. Unlike Carberp, which gained worldwide fame, Corkow did not receive the same attention from researchers or the public and was quite invisible all this time.
Like other banking malware, such as Hesperbot, which was discovered by ESET researchers last September, Win32 / Corkow has a modular architecture. This means that attackers can expand the capabilities of this malware with the necessary plug-ins. Such modules or plug-ins provide for attackers access to confidential user data through the following features: keylogger, create screenshots of the desktop, web injection and theft of data from web forms.
In addition to the above features, Win32 / Corkow also provides attackers with remote access to an infected computer (backdoor) and is an installer (downloader) in the system of another malicious program to steal Pony passwords (detected by ESET antivirus products as Win32 / PSW.Fareit ). Thus, using this malicious program, attackers have full access to the data of a compromised user.
As shown in the diagram above, the largest number of infections is 73% in Russia, while Ukraine is in second place 13%. It is not surprising that these countries suffered more than others, since Corkow itself is of Russian origin and contains a malicious module aimed at compromising the iBank2 online banking system, which is used by Russian banks and their customers to quickly perform banking operations. In addition, Corkow contains a module for attacking the Sberbank application, which is used for online banking.
The screenshot above shows part of the malicious code in Java, which contains strings of Russian and Ukrainian languages. These lines are used in iBank2 when displaying information about the user's account balance.
Using this malicious program, cybercriminals collect the following information on a compromised user's computer: history of visits to a web browser, list of installed applications, time of their last use, and list of running processes. Based on the list of applications that Corkow is hunting for, it’s obvious to us that attackers are interested in various applications of trading platforms, as well as applications for working with online banking.
Another interesting feature of Corkow is its orientation to websites and related software that relates to the virtual currency of Bitcoin, as well as computers that are owned by developers of Android applications that host their applications on Google Play. Further, attackers can carry out unauthorized access to the accounts of Bitcoin accounts of compromised users with all the ensuing consequences.
Corkow encrypts its payload using the C: drive volume serial number identifier, thus making it unpromising to analyze it somewhere on another computer.
Our telemetry system recorded sharp declines and ups in the activity of this malicious program from the beginning of its first detection in October 2011. In the second half of 2012, there was a decline in its activity, after which the activity increased again.
It is possible that the group distributing Corkow was prosecuted, which may be evidenced by a prolonged decline in malware activity in the second half of 2012.
In the next part, we will publish a detailed study of this malware.
Like other banking malware, such as Hesperbot, which was discovered by ESET researchers last September, Win32 / Corkow has a modular architecture. This means that attackers can expand the capabilities of this malware with the necessary plug-ins. Such modules or plug-ins provide for attackers access to confidential user data through the following features: keylogger, create screenshots of the desktop, web injection and theft of data from web forms.
In addition to the above features, Win32 / Corkow also provides attackers with remote access to an infected computer (backdoor) and is an installer (downloader) in the system of another malicious program to steal Pony passwords (detected by ESET antivirus products as Win32 / PSW.Fareit ). Thus, using this malicious program, attackers have full access to the data of a compromised user.
As shown in the diagram above, the largest number of infections is 73% in Russia, while Ukraine is in second place 13%. It is not surprising that these countries suffered more than others, since Corkow itself is of Russian origin and contains a malicious module aimed at compromising the iBank2 online banking system, which is used by Russian banks and their customers to quickly perform banking operations. In addition, Corkow contains a module for attacking the Sberbank application, which is used for online banking.
The screenshot above shows part of the malicious code in Java, which contains strings of Russian and Ukrainian languages. These lines are used in iBank2 when displaying information about the user's account balance.
Using this malicious program, cybercriminals collect the following information on a compromised user's computer: history of visits to a web browser, list of installed applications, time of their last use, and list of running processes. Based on the list of applications that Corkow is hunting for, it’s obvious to us that attackers are interested in various applications of trading platforms, as well as applications for working with online banking.
Another interesting feature of Corkow is its orientation to websites and related software that relates to the virtual currency of Bitcoin, as well as computers that are owned by developers of Android applications that host their applications on Google Play. Further, attackers can carry out unauthorized access to the accounts of Bitcoin accounts of compromised users with all the ensuing consequences.
Corkow encrypts its payload using the C: drive volume serial number identifier, thus making it unpromising to analyze it somewhere on another computer.
Our telemetry system recorded sharp declines and ups in the activity of this malicious program from the beginning of its first detection in October 2011. In the second half of 2012, there was a decline in its activity, after which the activity increased again.
It is possible that the group distributing Corkow was prosecuted, which may be evidenced by a prolonged decline in malware activity in the second half of 2012.
In the next part, we will publish a detailed study of this malware.