Banking Trojans are among the most used stealthy malware, and the most popular ones are undoubtedly Zeus, SpyEye, Citadel and Carberp.
Still, that doesn’t mean there is no room on the market for others, especially when a new Trojan type is modular and, therefore, offers many more capabilities that just information-stealing via key-logging, screen-shotting, and form-grabbing.
An example of this is the Corcow Trojan. Currently targeting mostly Russian and Ukrainian users and managing to infect several hundred of them each dat, the malware is not new, but it’s yet to reach the popularity of the four mentioned earlier – despite its versatility.
Corcow doubles down on password-stealing by incorporating the universal password stealer “Pony”, which goes after different types of login credentials and FTP account information.
It also contains a module set on the collection of additional data: browser history, which applications the user uses, and so on, and another that allows attackers remote access to the victims’ computer.
But what does differentiate this banking Trojan from others? Firstly, the malware is on the lookout for indications that the victim is visiting websites and using software related to Bitcoin, as well as for evidence the computers might belong to an Android developer.
“Quite what the criminals behind the Corkow malware plan to do by illegally accessing victims’ Bitcoin accounts is probably obvious, but there are also sinister consequences if the login details of a legitimate Android developer were also to fall into the wrong hands,” pointed out Graham Cluley.
Secondly, Corkow uses an interesting and probably quite effecting anti-analysis technique: its payload is encrypted using the Volume Serial Number of the C: drive, and if moved and run on another computer, it doesn’t start behaving maliciously on it.
ESET researchers have promised to share its findings about Corcow next week, hopefully also more details on how its usually delivered to users.