Risk Analysts have reported alarming findings concerning the “Araneida Scanner,” a malicious device allegedly based mostly on a cracked model of Acunetix, a famend internet utility vulnerability scanner.
The device has been linked to unlawful actions, together with offensive reconnaissance, scraping person information, and figuring out vulnerabilities for exploitation.
The “Araneida Scanner” is being offered on platforms like Telegram and actively exploited by risk actors.
Telegram channels tied to Araneida boast of main cyber exploits, together with taking on 30,000 web sites in six months.
A latest investigation linked the Araneida Scanner to a Turkish software program developer based mostly in Ankara.
Analysts have additionally uncovered a parallel operation involving one other cracked Acunetix-based device with login panels in Mandarin, suggesting Chinese language risk actor involvement.
Background and Preliminary Discovery
Researchers initiated their investigation after receiving intelligence from a companion group about uncommon scanning actions involving an IP handle linked to earlier cyberattacks.
The scanner, recognized as “Araneida – WebApp Scanner,” is being offered by way of the area [araneida(.)co], created in February 2023.
The investigation confirmed that the device makes use of elements of cracked Acunetix software program.
Partnering with Invicti, the mum or dad firm of Acunetix, Silent Push verified that the respectable Acunetix scanner stays unaffected. This assault leverages unauthorized, cracked software program variations with out Invicti’s involvement.
The Araneida Scanner is extensively marketed to cybercriminals for its offensive capabilities:
- Setup Course of: Customers obtain a Home windows executable file to put in the scanner. As soon as built-in, the device aggressively scans web sites, figuring out vulnerabilities for potential exploitation.
- Malicious Options: It generates noisy site visitors, making requests to numerous endpoints usually tied to CMS platforms.
- Telegram Channel Exercise: Araneida’s Telegram neighborhood has almost 500 members and actively promotes the device’s unlawful makes use of. Members share success tales of web site takeovers, stolen credentials, and income spent on luxurious objects like sports activities automobiles.
Chinese language Risk Actor Hyperlinks
Researchers recognized cracked Acunetix scanners hosted on IPs that includes Mandarin login portals and legacy Acunetix SSL certificates.
These portals, courting again to 2021, provide obtain hyperlinks for malicious executables disguised as respectable instruments like “FlkVPN.”
Though no definitive connection has been established, researchers suspect involvement from APT41, a identified Chinese language cyber-espionage group.
APT41 has a historical past of exploiting Acunetix for reconnaissance efforts, as highlighted in studies by the U.S. Division of Well being and Human Providers earlier this yr.
This isn’t the primary occasion of Acunetix misuse.
- In 2020, Iranian hackers exploited the device to focus on U.S. state and election web sites.
- In March 2024, Lumen recognized an Acunetix scanner facilitating communications between malicious command-and-control servers.
- APT41 has additionally been reported to depend on Acunetix and different reconnaissance instruments for spear-phishing and SQL injection assaults.
Researchers have developed actionable intelligence to assist organizations mitigate dangers from cracked Acunetix instruments.
Silent Push offers detailed feeds containing domains and IPs related to the Araneida Scanner infrastructure.
The exploitation of cracked cybersecurity instruments like Acunetix underscores the double-edged nature of expertise. Whereas instruments like Acunetix are designed to boost internet safety, their misuse by malicious actors poses vital threats.
The invention of Araneida’s hyperlink to a Turkish software program developer and its rising affect amongst cybercriminals highlights the pressing want for vigilance and collaborative risk intelligence-sharing to fight such actions.
Examine Actual-World Malicious Hyperlinks, Malware & Phishing Assaults With ANY.RUN – Strive for Free
