Coreshell

Coreshell is a Trojan downloader developed and used by the Fancy Bear (APT28) group, a team of hackers that are believed to work from Russia. Fancy Bear’s targets have been military and government organizations almost always, and there are strong suspicions that the hackers might be linked to the Russian government.

The Coreshell downloader is an updated version of another tool that Fancy Bear often use in their campaigns – Sourface. While both of these threats serve the same purpose, the Coreshell project has been improved in terms of anti-debugging and AV (antivirus) evasion techniques greatly. Coreshell is supposed to work as a first-stage downloader that transmits system information and retrieves a second-stage payload according to the instructions of the attackers. By employing the anti-debugging and AV evasion tricks mentioned above, the Coreshell downloader is able to terminate the attack process if it determines that the infected target might be used for malware-debugging and analysis.

Often, downloaders collect several information types about the compromised host, therefore allowing the attackers to have a better understanding of what target they are about to deal with. However, the Coreshell only sends a list of processes to the attacker’s server and, in return, receives a payload to deploy.

Fancy Bear’s campaigns involving the Coreshell have been executed with the use of spear-phishing emails that contain a corrupted document. This is one of the most popular propagation methods that cyber criminals employ, and Fancy Bear’s campaigns serve as a good reminder why all government and company employees should be familiar with the best security practices and pay extra attention to the files they download.