Cyber Weapon of War That Fits in Your Pocket

July 11, 2017 • Andrei Barysevich

Insikt Group

Telegram-Based SQL Injection Scanner Receives Raving Reviews From Criminals

On April 8, 2017, a Russian-speaking member of a top-tier hacking forum introduced “Katyusha Scanner,” the powerful and fully automated SQLi vulnerability scanner that utilizes the functionality of Telegram messenger and Arachni Scanner, an open-source penetration testing tool.

The released product, coupled with outstanding support and frequent updates, immediately gained popularity and accolades of grateful clients for an intuitive and straightforward interface, as well as incredible performance.

Target List Upload Functionality

Target list upload functionality.

While the hacking process could be controlled using a standard web interface, the unique functionality of Katyusha Scanner allows criminals to upload a list of websites of interest and launch the concurrent attack against several targets simultaneously, seamlessly controlling the operation via Telegram messenger.

Web-Based Control Panel

Web-based control panel.

Katyusha Scanner is offered for $500, but due to unexpectedly high demand, a light version was introduced on May 10, 2017. Featuring slightly limited functionality, the light version is available at a discounted rate of $250 per license.

In the ensuing months, the actor has released seven major updates of Katyusha Scanner. The most recent update, Katyusha 0.8 Pro, was introduced on June 26, 2017, and for the first time is available for rent for $200 per month or as a one-time purchase for $500.

Timeline of Katyusha Scanner

Timeline of Katyusha Scanner improvements.

Interestingly, the name Katyusha was not chosen by chance — it represents an iconic multiple rocket launcher, developed by the Soviet Union during World War II known for inflicting panic in Nazi forces with its stealthy and devastating attacks. Similar to the very lethal weapon conceived 70 years ago, Katyusha Scanner allows criminals to initiate large-scale penetration attacks against a massive number of targeted websites with several clicks using their smartphones.

Live Status Report

Live status report of the scan provided by the developer.

The Pro version offers significantly more robust functionality, not only capable of identification but also establishing a strong foothold within vulnerable web servers and an automatic extraction of privileged information such as login credentials. Upon completion of the scan, Katyusha will display an Alexa web rating for each identified target, providing an immediate visibility into the popularity of the resource and possible profit level in the future.

Identified Vulnerability Report

Identified vulnerability report.

Product Specifications:

Search and export of email/password credentials
Module framework
Multi-threaded and support of concurrent sessions
Telegram messenger interface
Web interface
Automatic dumping of databases
SQLMAP reports
File upload (the list of targeted websites)
Linux/Windows support

Web Shell Module Specifications:

CMS family identification (Bitrix, WordPress, OpenCart, etc.)
Login credentials brute-forcing (concurrent with SQLi scan)
Automatic web shell upload

Scanning Options:

SQL injection (sql_injection) — Error-based detection

  • Oracle
  • InterBase
  • PostgreSQL
  • MySQL
  • MSSQL
  • EMC
  • SQLite
  • DB2
  • Informix
  • Firebird
  • SaP Max DB
  • Sybase
  • Frontbase
  • Ingres
  • HSQLDB
  • MS Access

Blind SQL injection using differential analysis (sql_injection_differential)
Blind SQL injection using timing attacks (sql_injection_timing)

  • MySQL
  • PostgreSQL
  • MSSQL

SQLMAP Data Dumping

SQLMAP data dumping from compromised web server.

The product has received numerous glowing reviews from several buyers.

One actor enthusiastically boasting about the quality of the product and an immediate success in obtaining access to eight web servers wrote in Russian: “Excellent support! The seller has configured the software for my server, which was failing before, however, right now it flies divinely! I highly recommend the software, and it has found eight SQL vulnerabilities in half a day, great automation of the routine. Very grateful to the seller.”

Followed by another criminal praising the quality of technical support offered by the developer: “The author has helped with the product setup after the purchase, and (Katyusha) has immediately found SQL vulnerability. Thank you for the great product.”

Conclusion

Despite the fact that SQLi attacks have been around for over 20 years, we are still seeing them successfully being used as common attack vectors by online criminals. Our recent reports of the U.S. Election Assistance Commission (EAC) breach immediately following the U.S. presidential election in 2016 and the following large-scale attack against dozens of government organizations and universities has shown, if conducted properly, SQL injection attacks can still have a devastating effect on organizations.

Common defenses against SQL injection attacks include using parameterized statements as opposed to concatenating strings in code, using object relational mapping frameworks to generate SQL statements, proper escaping of special string characters in input parameters, and sanitizing inputs that appear suspicious.

The availability of a highly robust and inexpensive tool such as Katyusha Scanner to online criminals with limited technical skills will only intensify the compromised data problem experienced by various businesses, highlighting the importance of regular infrastructure security audits.

You can follow Andrei on Twitter at @DeepSpaceEye.

Related Posts