Q
Problem solve Get help with specific problems with your technologies, process and projects.

Katyusha Scanner: How does it work via a Telegram account?

The Katyusha Scanner is based on the open source penetration test scanner Arachni. However, it has been modified to work through Telegram accounts. Nick Lewis explains how it works.

The Katyusha Scanner, a tool used to rapidly and extensively scan websites for SQL injection vulnerabilities, was found for sale on a hacking forum. The tool is based on the open source penetration testing scanner Arachni, but it has been modified to be controlled through a linked Telegram account. How does the Katyusha tool work through Telegram?

Command-and-control (C&C) channels are often the most difficult part to implement for malware or an attack, as the C&C is often required for malware to get software updates, to direct how the malware should attack or for exfiltrating data. The core requirement is that the malware or attack needs to be able to reach the C&C server periodically.

In general, C&C servers have used servers hosted on bulletproof hosting, compromised servers, custom protocols, Tor nodes, Twitter accounts and Google Docs to evade detection over the network. As a result, researchers typically focus on analyzing the C&C connections to determine how the malware or attack operates -- enabling them to build detections into network monitoring tools, such as intrusion detection systems, intrusion prevention systems and firewalls.

A recent blog by Recorded Future discussed the Katyusha Scanner and how it connects to a Telegram account to gain control of the scanner.

The Arachni scanner evaluates the security of a modern web application and the SQL injection scanning functionality is incorporated into the Katyusha Scanner. The Katyusha scanner is reported to use a Telegram account for the C&C functionality because Telegram is a cloud-based instant messaging app that uses strong encryption and has an open API. While these are attractive features for a C&C connection, it could make it more difficult to differentiate the C&C traffic from legitimate Telegram usage.

The Katyusha Scanner could be configured with a Telegram account that uses the API to post and retrieve commands via the Telegram service, and it can be instructed to scan victim hosts by uploading the target list using the Telegram service to then control the rest of the scan via the Katyusha scanner.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in February 2018

Dig Deeper on Web browser security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What is your opinion on a Telegram account controlling a Katyusha tool?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

Close