Win32/Afcore Family of Trojans Detection Added to April MSRT

Microsoft added the "Win32/Afcore" family of trojans to its MSRT detections, at the request of the FBI and the Department of Justice to support a takedown operation.This malware is also known as Coreflood. It has evolved over time, first breaking onto the scene in 2003. At the time, it was encountered when visiting a malicious […]

Microsoft added the "Win32/Afcore" family of trojans to its MSRT detections, at the request of the FBI and the Department of Justice to support a takedown operation.

This malware is also known as Coreflood. It has evolved over time, first breaking onto the scene in 2003. At the time, it was encountered when visiting a malicious web page containing obfuscated VBScript and detected as TrojanDropper:VBS/Inor.B. Using hexadecimal encoding, the VBScript dropper would create an executable, detected as Backdoor:Win32/Apdoor.C. Its main functionality was somewhat simple then and the malware referred to itself as "AICORE" in its debug messages.

Win32/Afcore comprises two components, a dropper and installed malware that runs as a backdoor. The backdoor component is injected into running processes and connects to a remote server to retrieve commands that are executed on the affected system. Commands could include instructions to steal passwords, attack other computers and so on. When the dropper is executed, it creates randomly named executable and data files.

Win32/Afcore injects code from a utility "jb.dll", known as "jailbreak tool", to export certificates marked as non-exportable from the Windows certificate store. The certs could then be used by an attacker to access online banking sites in an unauthorized manner.

Additionally, Win32/Afcore could monitor network traffic to steal credentials associated with performing online mobile payments. Win32/Afcore contains code that assist in capturing traffic and stealing information communicated when visiting websites containing the following strings, two of which are associated with National Health Service sites:
*.nhs.net/*
*.nhs.uk/*
*.hilton.*
*.yahoo.*
*.google.*

The trojan monitors communication sent via secure hypertext transfer protocol (HTTPS) as well. Win32/Afcore has been known to communicate with servers named "joy4host.com" and "antrexhost.com". The IP addresses reported for these servers were located in Germany.

[Source: Microsoft MPC blog]