The Katyusha Scanner, a tool used to rapidly and extensively scan websites for SQL injection vulnerabilities, was found for sale on a hacking forum. The tool is based on the open source penetration testing scanner Arachni, but it has been modified to be controlled through a linked Telegram account. How does the Katyusha tool work through Telegram?
Command-and-control (C&C) channels are often the most difficult part to implement for malware or an attack, as the C&C is often required for malware to get software updates, to direct how the malware should attack or for exfiltrating data. The core requirement is that the malware or attack needs to be able to reach the C&C server periodically.
In general, C&C servers have used servers hosted on bulletproof hosting, compromised servers, custom protocols, Tor nodes, Twitter accounts and Google Docs to evade detection over the network. As a result, researchers typically focus on analyzing the C&C connections to determine how the malware or attack operates -- enabling them to build detections into network monitoring tools, such as intrusion detection systems, intrusion prevention systems and firewalls.
A recent blog by Recorded Future discussed the Katyusha Scanner and how it connects to a Telegram account to gain control of the scanner.
The Arachni scanner evaluates the security of a modern web application and the SQL injection scanning functionality is incorporated into the Katyusha Scanner. The Katyusha scanner is reported to use a Telegram account for the C&C functionality because Telegram is a cloud-based instant messaging app that uses strong encryption and has an open API. While these are attractive features for a C&C connection, it could make it more difficult to differentiate the C&C traffic from legitimate Telegram usage.
The Katyusha Scanner could be configured with a Telegram account that uses the API to post and retrieve commands via the Telegram service, and it can be instructed to scan victim hosts by uploading the target list using the Telegram service to then control the rest of the scan via the Katyusha scanner.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Web browser security
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.