CoreWarrior Spreader Malware Surge


This week, the SonicWall Capture Labs threat research team investigated a sample of CoreWarrior malware. This is a persistent trojan that attempts to spread rapidly by creating dozens of copies of itself and reaching out to multiple IP addresses, opening multiple sockets for backdoor access, and hooking Windows UI elements for monitoring. Infection Cycle

The malware is a UPX-packed executable that has been manually tampered with and will not unpack using the standard UPX unpacker.

Read more…
Source: Sonicwall


Sign up for our Newsletter


Related:

  • SonicWall Releases Security Updates for SMA100 NetExtender for Windows (CVE-2024-29014)

    November 27, 2024

    SonicWall has released a security update addressing a vulnerability in the Windows (32 and 64-bit) versions of SonicWall SMA100 NetExtender. SMA100 NetExtender is a virtual private network (VPN) client. This vulnerability tracked as CVE-2024-29014, may allow an attacker to execute arbitrary code when processing an EPC Client update. CVE-2024-29014 was originally assigned a CVSSv3 score of ...

  • Ransomware attack on Blue Yonder disrupts Starbucks, Sainsbury’s, Morrisons

    November 27, 2024

    Starbucks has confirmed that a ransomware attack on software supplier Blue Yonder has disrupted its internal systems for managing employee schedules and tracking work hours. The incident has primarily affected Starbucks’ North American operations, including approximately 11,000 stores across the United States and Canada. Starbucks says the cyberattack has compromised its ability to track baristas’ hours ...

  • Russia-linked hackers exploited Firefox and Windows bugs in ‘widespread’ hacking campaign

    November 26, 2024

    Security researchers have uncovered two previously unknown zero-day vulnerabilities that are being actively exploited by RomCom, a Russian-linked hacking group, to target Firefox browser users and Windows device owners across Europe and North America. Researchers with security firm ESET say they found evidence that RomCom combined use of the two zero-day bugs — described as such ...

  • SteelFox Leverages Signed Windows Drivers to Attack Kernel

    November 26, 2024

    This week, the SonicWall Capture Labs threat research team investigated a sample of SteelFox malware. This is bundled with “software activators” for JetBrains and Foxit PDF readers. During installation, they run as a service and use vulnerable signed Windows drivers to exploit and attack the kernel. Secondarily, cryptominers such as XMRig are run in memory via ...

  • Analysis of Elpaco: a Mimic variant

    November 26, 2024

    In a recent incident response case, Kaspersky dealt with a variant of the Mimic ransomware with some interesting customization features. The attackers were able to connect via RDP to the victim’s server after a successful brute force attack and then launch the ransomware. After that, the adversary was able to elevate their privileges by exploiting the ...

  • Hackers who inflitrated South African financial system reveal data for a large number people

    November 24, 2024

    A hacking group that claims it fraudulently collected Social Relief of Distress (SRD) grants and infiltrated South Africa’s financial system through credit bureaus has released data appearing to belong to Absa and Standard Bank customers. N4aughtySecGroup contacted the media earlier this month with a warning that it had breached several credit bureaus and used its access ...