The Katyusha Scanner, a tool used to rapidly and extensively scan websites for SQL injection vulnerabilities, was...
found for sale on a hacking forum. The tool is based on the open source penetration testing scanner Arachni, but it has been modified to be controlled through a linked Telegram account. How does the Katyusha tool work through Telegram?
Command-and-control (C&C) channels are often the most difficult part to implement for malware or an attack, as the C&C is often required for malware to get software updates, to direct how the malware should attack or for exfiltrating data. The core requirement is that the malware or attack needs to be able to reach the C&C server periodically.
In general, C&C servers have used servers hosted on bulletproof hosting, compromised servers, custom protocols, Tor nodes, Twitter accounts and Google Docs to evade detection over the network. As a result, researchers typically focus on analyzing the C&C connections to determine how the malware or attack operates -- enabling them to build detections into network monitoring tools, such as intrusion detection systems, intrusion prevention systems and firewalls.
A recent blog by Recorded Future discussed the Katyusha Scanner and how it connects to a Telegram account to gain control of the scanner.
The Arachni scanner evaluates the security of a modern web application and the SQL injection scanning functionality is incorporated into the Katyusha Scanner. The Katyusha scanner is reported to use a Telegram account for the C&C functionality because Telegram is a cloud-based instant messaging app that uses strong encryption and has an open API. While these are attractive features for a C&C connection, it could make it more difficult to differentiate the C&C traffic from legitimate Telegram usage.
The Katyusha Scanner could be configured with a Telegram account that uses the API to post and retrieve commands via the Telegram service, and it can be instructed to scan victim hosts by uploading the target list using the Telegram service to then control the rest of the scan via the Katyusha scanner.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Web browser security
Related Q&A from Nick Lewis
Zscaler recently discovered a malvertising campaign that spreads the Terror exploit kit through malicious ads. Discover more about the threat with ... Continue Reading
Cybersecurity vendor Wordfence reported a rise in scans for SSH private keys that are often accidentally exposed to the public. Learn how to stay ... Continue Reading
The SANS Internet Storm Center discovered a DDE attack spreading Locky ransomware through Microsoft Word. Learn what a DDE attack is and how to ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.