{ "id": "562b6465-dda5-4b6f-b8b8-7bcd6c4d9b1a", "created_at": "2026-04-06T00:15:49.861371Z", "updated_at": "2026-04-10T03:30:33.159579Z", "deleted_at": null, "sha1_hash": "80400379b3cd04287139d62d3c82763194240ab2", "title": "Corkow: Analysis of a business-oriented banking Trojan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 793429, "plain_text": "Corkow: Analysis of a business-oriented banking Trojan\r\nBy Robert LipovskyAnton Cherepanov\r\nArchived: 2026-04-05 17:25:20 UTC\r\nIn his  blog post last week, Graham Cluley introduced the Win32/Corkow banking Trojan. The malware, which\r\nhas been in the wild since at least 2011, has demonstrated continuous activity in the past year, infecting thousands\r\nof users. Version numbering of the various Trojan modules is another indicator that the malware authors are\r\ncontinually developing the trojan.\r\nThe most common infection vector – drive-by downloads – has been used to spread the malware.\r\nThis Russian tool for committing bank fraud shares many characteristics with other malware families with a\r\nsimilar purpose, such as Zeus (also known as Zbot), Carberp, Hesperbot, or Qadars, for example, but also contains\r\nsome unique functionality.\r\nSeveral features, like enumeration of smart cards, targeting of dedicated banking applications mostly used by\r\ncorporate customers and looking for user activity regarding online banking sites and applications, electronic\r\ntrading platform sites and applications and so forth, all suggest that the attackers are focusing their sights on\r\nfinancial professionals and enterprises, whose bank accounts usually hold a higher balance than those of most\r\nindividuals.\r\nIn this post, we expand on the information mentioned by Graham and provide additional technical details.\r\nAnalysis\r\nAs is the case with other banking Trojans (for example Win32/Spy.Hesperbot), the architecture of Win32/Corkow\r\nis comprised of a main module and several plug-in modules to deliver specific functionality. Each of Corkow’s\r\nplug-in modules is implemented as a Dynamic Link Library (DLL). We will refer to the main component as the\r\n‘core DLL’. Most of the other plugins are embedded in the core module but some are downloaded from the C\u0026C\r\nserver. In either case, the core DLL will load and run these modules, injecting them into various processes in the\r\nsystem. Table 1 presents the different modules seen in all of the Win32/Corkow samples we have analyzed. Note\r\nthat not all samples necessarily contain every module.\r\nTable 1\r\nhttps://www.welivesecurity.com/2014/02/27/corkow-analysis-of-a-business-oriented-banking-trojan/\r\nPage 1 of 9\n\nTable 1 - Description of analysed Win32/Corkow modules\r\nWhile the core DLL is responsible for launching every module and for downloading configuration data from the\r\nC\u0026C, each plug-in module contains the C\u0026C URLs as well and uploads collected data directly.\r\nAs can be seen in the table above, Win32/Corkow contains functionality that one would expect from a typical\r\nbanking trojan, including keystroke logging, screenshots and HTTP form-grabbing for intercepting log-in\r\ncredentials to online banking. However, the last three listed modules have caught our attention. The trojan uses\r\ntwo dedicated modules to target Russian banking clients: one for iBank2, a widely-used banking application used\r\nby several banks, and one for Sberbank, Russia’s largest bank. The module called ‘DC’ searches for indicators of\r\nuser activity relating to various trading platform applications and sites, standalone banking applications, banking\r\nsites, Bitcoin sites, and software and Google Play developer activity. We’ll describe these modules and the core\r\nmodule more in-depth in the following text.\r\nBut before we get to that, let’s take a look at Corkow’s installation procedure and its ‘hardware-binding’\r\ntechnique.\r\nInstallation\r\nWin32/Corkow features an interesting and relatively sophisticated installation procedure. The trojan is usually\r\ndelivered to the victim by a dropper executable that contains the core DLL in its resources. When the dropper is\r\nrun, the installation is carried out in the following steps:\r\nhttps://www.welivesecurity.com/2014/02/27/corkow-analysis-of-a-business-oriented-banking-trojan/\r\nPage 2 of 9\n\nFigure 1 - Installation procedure of Win32/Corkow\r\nThe dropper decrypts the embedded core DLL and calls its DllMain function, passing it one of three paths\r\nas a parameter. This path determines where and how the trojan should be installed. The chosen path\r\ndepends on whether the trojan is being run under a standard user account or an administrator account. The\r\npossible values are listed in Table 2.\r\nWhen the code of the core DLL is running, it will seek a host file to infect. For this, Corkow will select a\r\nlegitimate DLL file from the %SystemRoot%\\System32 directory that meets certain criteria (the file has to\r\nbe unprotected; and some specific file names and DLL imports are excluded).\r\nCorkow will then infect the selected DLL file by encrypting itself and writing its encrypted body into the\r\nresources section of the host. A decryption stub is also written to the file and added as a new export\r\nfunction, so that the malware’s body will be launchable after installation. The name of the export is also\r\ndependent on the installation path.\r\nThe infected DLL is then saved to the installation path. Note that the host DLL file in the System32\r\ndirectory remains unchanged.\r\nA Registry entry is made to ensure the malware’s persistence on the system. Again, the Registry key\r\ndepends on the installation path and is listed in Table 2.\r\nhttps://www.welivesecurity.com/2014/02/27/corkow-analysis-of-a-business-oriented-banking-trojan/\r\nPage 3 of 9\n\nTable 2 - Possible Installation Paths\r\nThere are multiple ways to load a DLL and Win32/Corkow will use one of the three methods listed in the table\r\nabove. Each of the methods loads a different DLL export, hence the different possible names for the decryption\r\nstub written into the host DLL during infection.\r\nAs stated above, the Corkow core DLL is written in the host DLL’s resources in an encrypted form and also\r\ncompressed using aPLib, a popular compression library. The encryption used is XOR with the encryption\r\nkeystream generated by the multiply-with-carry algorithm and derived from the Volume Serial Number of the C:\\\r\ndisk volume. This way, after installation the Corkow-infected-DLL is bound to the infected machine and will not\r\nrun on a different computer. This is one way in which Corkow protects itself against malware analysis.\r\nCore DLL, C\u0026C communication\r\nThe main module of Win32/Corkow is responsible for extracting the other embedded modules and injecting them\r\ninto corresponding processes, and for communication with the C\u0026C server.\r\nCorkow contains a list of URLs to which it tries to connect. The initial HTTP requests sent to the server contain\r\nsome basic system information, the version numbers of individual modules and a generated bot ID. In this way the\r\nkey for encrypting the communication (consisting of the C\u0026C domain name and the bot ID) is established. The\r\nserver will then respond with one of a few commands. The supported commands include:\r\nReboot\r\nDownload and execute arbitrary executable or DLL\r\nUpdate bot\r\nDownload configuration for certain modules\r\nWipe an arbitrary file on the system (by rewriting it with random data)\r\nUninstall itself, with the option of destroying the system\r\nhttps://www.welivesecurity.com/2014/02/27/corkow-analysis-of-a-business-oriented-banking-trojan/\r\nPage 4 of 9\n\nThe last two mentioned commands show that, apart from data theft, Win32/Corkow is also able to cause\r\nirreparable damage to the system. When the uninstall command is sent with a specific parameter, the trojan will\r\nattempt to delete critical system files and overwrite the Master Boot Record and Master File Table with random\r\ndata, rendering the system unbootable.\r\nThe core DLL also contains the functionality to capture screenshots of the desktop, block specific applications\r\nfrom running and enumerate smartcards installed on the system.\r\nThe application-blocking functionality is determined by the bot’s configuration. The trojan iterates through\r\nrunning processes (the standard method with CreateToolhelp32Snapshot is used) in an infinite loop, and if the\r\nundesired process name is found, attempts to terminate it. Of course, the chances of success for this method in\r\nUser Mode are limited. It is most probably used to prevent victims from running banking applications (to check\r\ntheir account balances, and so forth).\r\nUnlike other more sophisticated trojans, Corkow cannot interact with smartcards, only enumerate them.\r\nInterestingly, it doesn’t even use common Windows API functions for interacting with smartcards, but instead\r\nenumerates all hardware devices (using the SetupDi API) and searches for specific device names.\r\nTargeting dedicated banking applications\r\nThe way Corkow targets the iBank2 application is quite interesting. iBank2 is a Java application, so Corkow\r\nattempts to capture its data by injecting its own malicious Java class into the Java Virtual Machine running\r\niBank2. To achieve this, the trojan first injects its IB2 module into each newly spawned Java process (java.exe or\r\njavaw.exe)\r\nhttps://www.welivesecurity.com/2014/02/27/corkow-analysis-of-a-business-oriented-banking-trojan/\r\nPage 5 of 9\n\nFigure 2 - Corkow code for attaching to a Java Virtual Machine\r\nThe injected code then uses Java Native Interface (JNI) functions to get the pointer to the running Java VM,\r\nattaches itself to it (Figure 2) and loads its malicious Java class inside the VM. Figure 3 shows part of the\r\ndecompiled Java class. The class contains methods for getting the current balance of the victim’s bank account and\r\nmaking screenshots, and is able to copy key files used to authenticate the user.\r\nhttps://www.welivesecurity.com/2014/02/27/corkow-analysis-of-a-business-oriented-banking-trojan/\r\nPage 6 of 9\n\nFigure 3 - Corkow's malicious Java class used against iBank2\r\nNotice that the code supports English, Russian and Ukrainian versions of the iBank2 application.\r\nThe Java injection technique described does not exploit any vulnerability in the iBank2 application itself. Other\r\nbanking trojans that have targeted the Java-based iBank2 platform include Win32/Spy.Ranbyus and\r\nWin32/Carberp, although different techniques were used in both those cases.\r\nThe SBRF module targets banking applications (Win32 platform) used by corporate customers of Sberbank. Like\r\nthe iBank2 module, the SBRF module can create screenshots and copy key files for authentication.\r\nDC module\r\nThis module scans for user activity by searching the following:\r\nRunning processes\r\nBrowser history – Corkow runs the 3rd party utility BrowsingHistoryView in order to read the history of\r\nMicrosoft Internet Explorer, Mozilla Firefox, Google Chrome and Apple Safari. The Opera web browser\r\nhistory file is opened directly.\r\nInstalled applications – by enumerating files in common installation directories\r\nLast-used applications – by enumerating the corresponding Registry entries\r\nInterestingly, though, the module does not send the full results of the search to the remote server. Instead it parses\r\nthe data and looks for specific finance-related strings from a defined list. The analyzed sample contained strings\r\nrelating to banking, electronic trading platforms and stock brokerages, digital currencies (including various\r\nBitcoin software and websites), various payment systems, and Google Play developer activity:\r\nhttps://www.welivesecurity.com/2014/02/27/corkow-analysis-of-a-business-oriented-banking-trojan/\r\nPage 7 of 9\n\nTable 3 - Various finance-related software and websites referred to by Corkow's DC module\r\nApart from Russian and Ukrainian banks and software, the list also includes a wide range of banks based in\r\nSwitzerland, Singapore, Latvia, Lithuania, Estonia, Denmark, Croatia, the United Kingdom, Austria and Cyprus\r\n(including some banks that are now defunct).\r\nThe bot will then notify the attacker if any of the above-mentioned strings are found on the victim’s system.\r\nConclusion\r\nWin32/Corkow is an example of the consequences of leaked source code from other banking trojans. During the\r\nanalysis of the Corkow code, it proved fairly easy to spot various different programming styles and parts that were\r\nwritten by the malware authors themselves and other parts that were literally ‘copy \u0026 pasted’ from other banking\r\ntrojans. While Corkow may be technically less sophisticated than some other malware that we’ve analyzed, it will\r\nget the job done.\r\nFurthermore, the perpetrators operating the Corkow botnets apparently have a well-conceived modus operandi\r\nwith a focus on corporate banking users. We can confirm that several thousand users, mostly in Russia and\r\nUkraine, were victims of the Trojan in 2013.\r\nWe continue monitoring the threat and will keep you informed of further developments.\r\nhttps://www.welivesecurity.com/2014/02/27/corkow-analysis-of-a-business-oriented-banking-trojan/\r\nPage 8 of 9\n\nThanks to Anton Cherepanov for his thorough analysis of this malware.\r\nList of SHA1s\r\nc08b899f0cbe26057e474396b829a8c69c4bcd31\r\n5462f5b2ac221ed3f93828447c975c97e9690ef2\r\n9024e81a45156736c9d5946620ab63be510c54ed\r\n1f54b6624a1a93fe47631b7844acd2f02ab1d66a\r\n73ea52373c0478103d2194f61ea0e179b7416ab9\r\ncf0ec48d4294b8c288c4dd97e3db3967fecad554\r\nc806c8d1774341db0e9f1cf9bfc309c1ec245689\r\n4a06e4cb4838d78813306bac1cdcf982ec5c0e35\r\n1ea1fa8b917a700c2be7edb963c0b193aaae6c7a\r\nf3fbf41433757e6cbbfbe6f9c99929eeeadd5373\r\n16d75b3135803a2d60962d9677e8b91fc34b4fb7\r\nc43efc00cd459639b277690983afa6fb7abc91cc\r\nba03301d444da65116c08f0e3f897cc91a47ed4a\r\n1cd4ec8ce834b97e1be4e215071b7cda4bb7d9c1\r\nc5eda109e125bba20a27cd52e779d1106ece7762\r\n982b06c53e37bc14d5fb7c515cbb479ad6fb1343\r\n4e78bb4e3aea2a80184d99ea2a0d36ec811655ef\r\ncc061159ef6284edc6d46cf45e756b9db1258a27\r\nb2b78353b1fbef895922c47c41f4431781a14afa\r\nSource: https://www.welivesecurity.com/2014/02/27/corkow-analysis-of-a-business-oriented-banking-trojan/\r\nhttps://www.welivesecurity.com/2014/02/27/corkow-analysis-of-a-business-oriented-banking-trojan/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.welivesecurity.com/2014/02/27/corkow-analysis-of-a-business-oriented-banking-trojan/" ], "report_names": [ "corkow-analysis-of-a-business-oriented-banking-trojan" ], "threat_actors": [ { "id": "a58aedbc-e89f-4e0c-8147-c6406a616cfa", "created_at": "2022-10-25T16:07:23.494355Z", "updated_at": "2026-04-10T02:00:04.629595Z", "deleted_at": null, "main_name": "Corkow", "aliases": [ "Corkow", "Metel" ], "source_name": "ETDA:Corkow", "tools": [ "Corkow", "Metel" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434549, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/80400379b3cd04287139d62d3c82763194240ab2.pdf", "text": "https://archive.orkl.eu/80400379b3cd04287139d62d3c82763194240ab2.txt", "img": "https://archive.orkl.eu/80400379b3cd04287139d62d3c82763194240ab2.jpg" } }