Threat analysts have recently uncovered alarming findings regarding the “Araneida Scanner,” a malicious tool suspected to be based on a cracked version of Acunetix, a popular web application vulnerability scanner. This tool has been associated with various illicit activities, including offensive reconnaissance, the scraping of user data, and the identification of vulnerabilities for potential exploitation. It has been reported that the Araneida Scanner is being sold on platforms like Telegram and actively exploited by threat actors.
Telegram channels that are linked to Araneida proudly showcase major cyber exploits, such as the takeover of over 30,000 websites within a span of six months. A recent investigation has identified a Turkish software developer based in Ankara as the source of the Araneida Scanner. In addition, analysts have uncovered a parallel operation involving another cracked Acunetix-based tool with login panels in Mandarin, suggesting potential involvement of Chinese threat actors.
The background of this discovery dates back to an investigation initiated by researchers after receiving intelligence from a partner organization regarding unusual scanning activities associated with an IP address known for previous cyberattacks. The tool in question, referred to as “Araneida – WebApp Scanner,” is being marketed through the domain [araneida(.)co], which was created in February 2023. It was confirmed during the investigation that the tool utilizes components of cracked Acunetix software.
Upon partnering with Invicti, the parent company of Acunetix, Silent Push verified that the legitimate Acunetix scanner remains unaffected by this attack. The Araneida Scanner is popular among cybercriminals due to its offensive capabilities, including a setup process in which users receive a Windows executable file to install the scanner. Once installed, the tool aggressively scans websites to identify vulnerabilities that could be exploited. It also generates noisy traffic by making requests to various endpoints often associated with CMS platforms. The Telegram community related to Araneida has close to 500 members and actively promotes the illicit uses of the tool.
Researchers have also discovered cracked Acunetix scanners hosted on IPs with Mandarin login portals and legacy Acunetix SSL certificates. While no definitive connection has been established, suspicions of involvement from APT41, a Chinese cyber-espionage group, have been raised. APT41 has previously been associated with exploiting Acunetix for reconnaissance efforts, as documented in reports by the U.S. Department of Health and Human Services.
The discovery of the Araneida Scanner’s link to a Turkish software developer highlights the growing influence of this tool among cybercriminals, emphasizing the importance of vigilance and collaborative threat intelligence-sharing to combat such malicious activities. The misuse of cybersecurity tools like Acunetix underscores the risks posed by the misuse of technology by threat actors. Organizations are advised to remain vigilant and take proactive measures to mitigate the risks associated with cracked tools like the Araneida Scanner.
In conclusion, the investigation into the Araneida Scanner sheds light on the pervasive threat posed by the misuse of legitimate cybersecurity tools by malicious actors. It underscores the ongoing challenges faced by organizations in defending against cyber threats and highlights the need for cooperation and vigilance in the cybersecurity landscape.