See Also - Corebot is the new data Stealer discovered by IBm’s X-Force and
CoreBot Becomes Full-Fledged Banking Trojan
By Eduard Kovacs on September 15, 2015 The first versions of CoreBot identified by IBM had a domain generation algorithm (DGA) for command and control (C&C) communications, but the feature was not active and the malware had communicated with two predetermined domains: vincenzo-sorelli[.]com and arijoputane[.]com.
Researchers at Damballa have analyzed these domains and found that they were both on the same IP address and they were both registered by the same individual or group using the email address drake.lampado777@gmail[.]com. The same IP address also hosted C&C servers for the Carberp Trojan and the TVSPY malware (also known as TVRAT, SpY-Agent or teamspy).
Damballa also discovered that the email address drake.lampado777@gmail[.]com was used to register more than 30 other domains. One of these domains is btcshop.cc, an online shop registered on July 30, 2015, that specializes in selling account information and Socket Secure (SOCKS) proxies. Full Article
Online Shop Selling Account Data Linked to CoreBot Malware
Userlevel 7
+54
Be the first to reply!
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.