CoreWarrior Spreader Malware Surge


This week, the SonicWall Capture Labs threat research team investigated a sample of CoreWarrior malware. This is a persistent trojan that attempts to spread rapidly by creating dozens of copies of itself and reaching out to multiple IP addresses, opening multiple sockets for backdoor access, and hooking Windows UI elements for monitoring. Infection Cycle

The malware is a UPX-packed executable that has been manually tampered with and will not unpack using the standard UPX unpacker.

Read more…
Source: Sonicwall


Sign up for our Newsletter


Related:

  • Data breach at IDHS compromises 1M customers

    December 26, 2024

    On April 25, the Illinois Department of Human Services (IDHS) experienced a privacy breach. An outside entity, through a phishing campaign, gained access to multiple employee accounts, and files associated with the accounts. The files included the Social Security numbers (SSNs) of 4,701 customers and three employees. Separately, public assistance account information (name, public assistance account ...

  • Cyberattack on JAL delays some flights, disrupts operations

    December 26, 2024

    Japan Airlines announced on Dec. 26 that its computer network was hit by a cyberattack, which delayed some flights while the company worked to restore the system and resume normal operations. According to JAL, the cyberattack caused a heavy access load to the network equipment connecting internal and external offices from 7:24 a.m. that morning. The ...

  • Analyzing Malicious Intent in Python Code – A Case Study

    December 23, 2024

    Fortinet’s AI-driven OSS malware detection system recently identified two malicious packages: Zebo-0.1.0 on November 16, 2024, and Cometlogger-0.1 on November 24, 2024. Malicious software often masquerades as legitimate code, hiding its harmful features behind complex logic and obfuscation. In this analysis, Fortinet researchers examine the Python scripts behind these two packages, outline their malicious behaviors, and provide ...

  • Cloud Atlas seen using a new tool in its attacks

    December 23, 2024

    Known since 2014, Cloud Atlas targets Eastern Europe and Central Asia. We’re shedding light on a previously undocumented toolset, which the group used heavily in 2024. Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code. When opened, the document downloads a ...

  • ‘NetWalker’ Ransomware Attacker Gets 20 Years in Prison

    December 21, 2024

    Romanian national Daniel Christian Hulea pleaded guilty to computer fraud conspiracy and wire fraud conspiracy. NetWalker ransomware attacks often targeted the healthcare sector during the COVID-19 pandemic. The attacker obtained nearly 1,600 Bitcoin ransomware payments as a result of his attacks, netting him and another affiliate about $21.5 million. Hulea is being ordered to forfeit these ...

  • Beware Feb. 3, 2025 – Diabolic Ransomware Gang Issues New Attack Warning

    December 21, 2024

    If you thought law enforcement had not only disrupted the LockBit ransomware operation, alongside trolling the criminal gang behind it but taken it out of business altogether, then you are likely in for a shock: LockBitSupp, the group’s alleged leader, has warned LockBit 4 will return next year. In fact, a dark web posting said the ...