The Katyusha Scanner, a tool used to rapidly and extensively scan websites for SQL injection vulnerabilities, was...
found for sale on a hacking forum. The tool is based on the open source penetration testing scanner Arachni, but it has been modified to be controlled through a linked Telegram account. How does the Katyusha tool work through Telegram?
Command-and-control (C&C) channels are often the most difficult part to implement for malware or an attack, as the C&C is often required for malware to get software updates, to direct how the malware should attack or for exfiltrating data. The core requirement is that the malware or attack needs to be able to reach the C&C server periodically.
In general, C&C servers have used servers hosted on bulletproof hosting, compromised servers, custom protocols, Tor nodes, Twitter accounts and Google Docs to evade detection over the network. As a result, researchers typically focus on analyzing the C&C connections to determine how the malware or attack operates -- enabling them to build detections into network monitoring tools, such as intrusion detection systems, intrusion prevention systems and firewalls.
A recent blog by Recorded Future discussed the Katyusha Scanner and how it connects to a Telegram account to gain control of the scanner.
The Arachni scanner evaluates the security of a modern web application and the SQL injection scanning functionality is incorporated into the Katyusha Scanner. The Katyusha scanner is reported to use a Telegram account for the C&C functionality because Telegram is a cloud-based instant messaging app that uses strong encryption and has an open API. While these are attractive features for a C&C connection, it could make it more difficult to differentiate the C&C traffic from legitimate Telegram usage.
The Katyusha Scanner could be configured with a Telegram account that uses the API to post and retrieve commands via the Telegram service, and it can be instructed to scan victim hosts by uploading the target list using the Telegram service to then control the rest of the scan via the Katyusha scanner.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Web browser security
Related Q&A from Nick Lewis
The Qihoo 360 Core Security team found a Microsoft vulnerability -- named Double Kill -- that affects applications via Office documents. Learn how ... Continue Reading
IBM X-Force found MnuBot -- a new banking Trojan -- manipulating C&C servers in an unusual way. Learn how this is possible and how this malware ... Continue Reading
Researchers at Trend Micro found a new strain of malware -- dubbed FacexWorm -- that targets users via a malicious Chrome extension. Discover how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.