Darkleech campaign resurfaces with new tactics for spreading malware

darkleechFor several years, the Darkleech malware campaign has been infecting unsuspecting visitors to compromised websites with ransomware and other nasty computer viruses. And now the newest Darkleech iteration is leveraging exploit kits and spam email to target unsuspecting victims.

The best way to protect against Darkleech is to avoid HTML links in emails from unknown senders, and maintain an up-to-date antivirus solution. Business users managing servers can also take several steps to block this malicious campaign.

A brief history of Darkleech
Darkleech is a form of malware that dates back to 2012. In the campaign’s early stages, attackers targeted vulnerabilities in unpatched Apache web servers, as well as web servers that were not protected with a strong password. Once inside the system, they installed virus-laden web server modules designed to spread the infection.

The malware, which quickly expanded its sights to Nginx and Litespeed web servers, compromises a target server at the root level and installs backdoors. That means Darkleech malware will remain persistent on the server even if the server’s owner changes the root password. It also means Darkleech is difficult to detect.

Many businesses started reporting Darkleech infections in 2013. Web servers infected with Darkleech would inject malicious code into server responses when users visit a hosted website. Specifically, infected web servers loaded a malicious iFrame that included Blackhole, an exploit kit that scans computers for known vulnerabilities. When an unpatched security hole is found, Blackhole exploits it to gain access to the visitor’s computer and install the malware.

But Darkleech has evolved since then. A new iteration of the campaign known as Pseudo-Darkleech emerged in 2014. This offspring injects malicious code into WordPress files. The code points users to a landing page where an exploit kit scans for vulnerabilities, just like the original Darkleech campaign.

Usually, the page with the exploit kit is a subdomain the cybercriminals registered on a hacked GoDaddy account. They pull off that preliminary attack by compromising a GoDaddy website or its Domain Name System (DNS) settings using a technique known as DNS shadowing. Given this evasive technique, it’s no wonder Pseudo-Darkleech paired with Angler exploit kit in 2015 to infect users with the now-defunct TeslaCrypt ransomware.

Angler has since gone off the map, so Pseudo-Darkleech has begun to use new techniques to infect users with ransomware. For instance, in late 2016, security researchers spotted the campaign leveraging spam and malware downloaders to infect users with Cerber, a lucrative ransomware family that’s capable of speaking its ransom note to victims.

Protect your home and business from Darkleech
Users can defend against a Darkleech infection by taking steps to fly under the radar of an exploit kit. Specifically, they should update their systems with the latest software and security patches whenever they become available. It’s also important to maintain an up-to-date anti-virus solution and avoid clicking on suspicious links and email attachments. None of those measures are foolproof, however. That’s why users should also back up their data. When malware attacks, the best way to get your data back is to remove the virus, then download clean versions of your files from backup.

At the same time, server owners should make sure their servers are up-to-date with the latest software and protected with a strong password. They should also look to safeguard their DNS settings and domain name accounts. Cybersecurity firm Securi explained the process on their website:

“Constant rotation of the second level domains that hackers create DNS shadows for should serve as a reminder that your site can be hacked not only on your server,” the site reads. “Hackers also look for DNS accounts to make malicious subdomains of your site. So even if you don’t find anything bad on your server, make sure to check if your domain’s DNS settings contain only legitimate records. Don’t forget that your domain name account passwords should be strong and unique.”

For even more news and information on the fight against ransomware, visit the FightRansomware.com homepage today.

  • Facebook
  • Twitter
  • Google +
  • LinkedIN
  • Pinterest