CoreBot, updated in 2015, is a banking trojan with increased functionality. CoreBot was initially used to steal locally stored sensitive information but incapable of intercepting data in real time; however, it has morphed into a banking trojan with modular architecture, similar to Dyre. Upon execution, CoreBot steals the victim’s credentials and uses social engineering to trick the victim into revealing personally identifiable information (PII). The trojan then alerts the attacker to prepare for session authentication and displays a wait notice to the victim while the attacker connects to the endpoint through virtual network computing (VNC), and takes control of the session. The actor is then able to initiate payment transactions and transfers. When CoreBot was updated in 2015, the following functionalities were added:

  • Browser hooking for Internet Explorer, Firefox, and Google Chrome,
  • Man-in-the-Middle capabilities,
  • Real-time form-grabbing,
  • URL triggers targeted at banks,
  • VNC module for remote control,
  • Web injection mechanism,
  • Web injections from a remote server.


  • September 2015: CoreBot was updated to include 55 URL triggers to launch the trojan. All triggers are comprised of US, UK, and Canadian online banking sites. (Security Intelligence)   
  • January 2016: CoreBot was used in to infect victims through an email tax scam. (SPAMfighter)          

Technical Details                                                                                                                

  • Symantec provides technical details on the CoreBot trojan, available here.
One example of the CoreBot trojan. Image Source: Security Intelligence

One example of the CoreBot trojan. Image Source: Security Intelligence