Corkow is an advanced and business-oriented banker Trojan. It has been used to steal data since 2011 and has evolved in complexity over the past few years. It remains a prevalent threat primarily aimed towards banks and banking users in Russia and Ukraine. Corkow presents many similarities to other sophisticated module-based Trojan bankers, such as Carberp and Hesperbot, but it also features a couple of novel tricks of its own.

The presentation will document the different functions carried out by Corkow as well as its recent distribution methods and infrastructure. The aim of the operation is to take down the infrastructure and dismantle the malware’s capabilities to mutate and push updates to already infected hosts. The secondary aim is to identify the bad actors running this criminal operation. So boiled down – this is the security industry working together and fighting back.

Operation ‘Seek & Destroy: Banker-Corkow’ is a joint research effort between ESET and CSIS Security Group.