Coreshell is a Trojan downloader developed and used by the Fancy Bear (APT28) group, a team of hackers that are believed to work from Russia. Fancy Bear’s targets have been military and government organizations almost always, and there are strong suspicions that the hackers might be linked to the Russian government.
The Coreshell downloader is an updated version of another tool that Fancy Bear often use in their campaigns – Sourface. While both of these threats serve the same purpose, the Coreshell project has been improved in terms of anti-debugging and AV (antivirus) evasion techniques greatly. Coreshell is supposed to work as a first-stage downloader that transmits system information and retrieves a second-stage payload according to the instructions of the attackers. By employing the anti-debugging and AV evasion tricks mentioned above, the Coreshell downloader is able to terminate the attack process if it determines that the infected target might be used for malware-debugging and analysis.
Often, downloaders collect several information types about the compromised host, therefore allowing the attackers to have a better understanding of what target they are about to deal with. However, the Coreshell only sends a list of processes to the attacker’s server and, in return, receives a payload to deploy.
Fancy Bear’s campaigns involving the Coreshell have been executed with the use of spear-phishing emails that contain a corrupted document. This is one of the most popular propagation methods that cyber criminals employ, and Fancy Bear’s campaigns serve as a good reminder why all government and company employees should be familiar with the best security practices and pay extra attention to the files they download.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to Coreshell may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.