The Katyusha Scanner, a tool used to rapidly and extensively scan websites for SQL injection vulnerabilities, was...
found for sale on a hacking forum. The tool is based on the open source penetration testing scanner Arachni, but it has been modified to be controlled through a linked Telegram account. How does the Katyusha tool work through Telegram?
Command-and-control (C&C) channels are often the most difficult part to implement for malware or an attack, as the C&C is often required for malware to get software updates, to direct how the malware should attack or for exfiltrating data. The core requirement is that the malware or attack needs to be able to reach the C&C server periodically.
In general, C&C servers have used servers hosted on bulletproof hosting, compromised servers, custom protocols, Tor nodes, Twitter accounts and Google Docs to evade detection over the network. As a result, researchers typically focus on analyzing the C&C connections to determine how the malware or attack operates -- enabling them to build detections into network monitoring tools, such as intrusion detection systems, intrusion prevention systems and firewalls.
A recent blog by Recorded Future discussed the Katyusha Scanner and how it connects to a Telegram account to gain control of the scanner.
The Arachni scanner evaluates the security of a modern web application and the SQL injection scanning functionality is incorporated into the Katyusha Scanner. The Katyusha scanner is reported to use a Telegram account for the C&C functionality because Telegram is a cloud-based instant messaging app that uses strong encryption and has an open API. While these are attractive features for a C&C connection, it could make it more difficult to differentiate the C&C traffic from legitimate Telegram usage.
The Katyusha Scanner could be configured with a Telegram account that uses the API to post and retrieve commands via the Telegram service, and it can be instructed to scan victim hosts by uploading the target list using the Telegram service to then control the rest of the scan via the Katyusha scanner.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Web browser security
Related Q&A from Nick Lewis
Enterprises have many options for email security best practices, ranging from deploying email security protocols to educating end users on the ... Continue Reading
Cyberattacks often begin with a port scan attack, which attackers use to find exploitable vulnerabilities on targeted systems. Learn how they work ... Continue Reading
Monitoring process memory is one way to combat fileless malware attacks. Here's what you can do to protect your network against these campaigns. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.