The Darkleech campaign: What changes should enterprises be aware of?

Darkleech campaigns, which have been around since 2012, infect users by redirecting them to different malware exploit…

kit pages. Recently, Darkleech injected code has evolved from large blocks of highly obfuscated script to more straightforward iframes with no obfuscation. How has Darkleech been changing its operations, and what new patterns should researchers be looking for?

Darkleech started out as a malicious Apache module in 2012 and developed into pseudo-Darkleech, which also attacked Internet Information Server sites. Pseudo-Darkleech attacked insecure WordPress installs and injected malicious PHP code for setting up the infrastructure. Pseudo-Darkleech — referred to as Darkleech for the rest of the article — has changed how it uses domain name system names to evade detection.

Darkleech has used the infrastructure built up to redirect a victim to a webpage hosting a malware exploit kit, which began with Angler, and then later changed to the Neutrino exploit kit. It first distributed CryptoWall and later began spreading CryptXXX ransomware through the exploit kit. Each individual component can be changed when a compromised website is taken down or the malware starts being detected. Each component can be developed or operated by different parts of an organized group or a network of criminals.

One of the changes to the Darkleech campaign reported by SANS Internet Storm Center handler Brad Duncan is the shift to using a simpler iframe to execute the next step in the attack for the malware exploit kit to run. The Darkleech authors’ decision to stop using highly obfuscated script could be due to a determination that their obfuscation wasn’t preventing analysis of their malware and potentially even making it easier to detect the malware. Essentially, the kit was dumbed down and streamlined because it had more functionality than it needed to get around today’s antimalware defenses. 

For enterprises or researchers investigating Darkleech, Palo Alto Networks has released indicators of compromise in a blog post. Duncan reports the ransomware message informing the victim of the attack hasn’t changed, so that could be an additional indicator, but the Tor addresses may change per attack campaign.

Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Let’s block ads! (Why?)

Colbran South Africa