Malware targeting Windows machines continues to be a significant threat. While these threats could be in various forms like viruses, worms, and ransomware.
These malicious programs can infiltrate systems via illicit methods like “phishing emails,” “infected downloads,” and “vulnerabilities.”
Cybersecurity researchers at SonicWall identified that CoreWarrior malware has been actively attacking Windows machines from dozens of IP addresses.
CoreWarrior is a sophisticated and persistent trojan malware. This threat exhibits aggressive self-replication by creating up to “117 copies” of itself within “10 minutes.”
CoreWarrior Malware Attacking Windows
The notable thing here is that each of the copies was created with a randomly generated name.CoreWarrior uses a “UPX-packed executable” that has been manually modified to resist standard unpacking methods.
Analyse Any Suspicious Files With ANY.RUN: Intergarte With You Security Team -> Try for Free
Upon execution, it uses the “curl command-line tool” to “POST” data to a specific URL (http://wecan[.]hasthe[.]technology/upload) by continuously creating and deleting copies after each successful transmission.
The malware establishes backdoor access by binding listeners to an extensive range of ports (“49730-49777” and “50334-50679”) and attempts connections to multiple IP addresses, including “a secondary IP (172.67.183.40).”
Moreover, CoreWarrior hooks into “Windows UI elements” for monitoring purposes. This enhances its “persistence” and “surveillance” capabilities.
This combination of “rapid self-replication,” “network communication,” and “system integration” makes “CoreWarrior” a critical threat to system “security” and “stability.”
Besides this, to prevent debugging attempts, it uses the “rdtsc” (‘Read Time-Stamp Counter’) instruction to measure execution time by terminating if a threshold is “exceeded.”
According to researchers, malware implements a randomized sleep timer that adjusts based on “connection attempts,” “successes,” and “failures,” which complicates the further analysis.
It also includes “VM” detection capabilities that help in checking for “HyperV containers” and to avoid execution in controlled environments.
For data exfiltration, the malware uses multiple protocols like:-
- “FTP” for file transfers
- “SMTP” for sending emails
- “POP3” for retrieving emails
All these diverse techniques collectively make the malware more “resilient” to detection and “analysis” while providing flexible options for extracting sensitive information from “infected systems.”
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)