Darkleech campaigns, which have been around since 2012, infect users by redirecting them to different malware exploit...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
kit pages. Recently, Darkleech injected code has evolved from large blocks of highly obfuscated script to more straightforward iframes with no obfuscation. How has Darkleech been changing its operations, and what new patterns should researchers be looking for?
Darkleech started out as a malicious Apache module in 2012 and developed into pseudo-Darkleech, which also attacked Internet Information Server sites. Pseudo-Darkleech attacked insecure WordPress installs and injected malicious PHP code for setting up the infrastructure. Pseudo-Darkleech -- referred to as Darkleech for the rest of the article -- has changed how it uses domain name system names to evade detection.
Darkleech has used the infrastructure built up to redirect a victim to a webpage hosting a malware exploit kit, which began with Angler, and then later changed to the Neutrino exploit kit. It first distributed CryptoWall and later began spreading CryptXXX ransomware through the exploit kit. Each individual component can be changed when a compromised website is taken down or the malware starts being detected. Each component can be developed or operated by different parts of an organized group or a network of criminals.
One of the changes to the Darkleech campaign reported by SANS Internet Storm Center handler Brad Duncan is the shift to using a simpler iframe to execute the next step in the attack for the malware exploit kit to run. The Darkleech authors' decision to stop using highly obfuscated script could be due to a determination that their obfuscation wasn't preventing analysis of their malware and potentially even making it easier to detect the malware. Essentially, the kit was dumbed down and streamlined because it had more functionality than it needed to get around today's antimalware defenses.
For enterprises or researchers investigating Darkleech, Palo Alto Networks has released indicators of compromise in a blog post. Duncan reports the ransomware message informing the victim of the attack hasn't changed, so that could be an additional indicator, but the Tor addresses may change per attack campaign.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Read about the programs that popular exploit kits target the most
Find out how to protect Microsoft Edge from the Rowhammer exploit
Learn the best methods for ensuring a malware infection is completely gone
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from ...continue reading
Typosquatting was used by threat actors to spread malware in the NPM registry. Learn from expert Nick Lewis how this method was used and what it ...continue reading
Threat actors are using phishing email campaigns to fool users with tech support scams and fake Blue Screens of Death. Learn how these campaigns work...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.