By: ThreatLabz

Darkleech Attack Continues To Grow

Analysis

The Apache Darkleech attack has been in the news for quite some time now. The first compromise that we identified in our transactions dates back to mid-March. This Darkleech exploit (aka Linux.Cdorked)  injects malicious redirections into a website that leads to a Blackhole exploit kit (BEK) landing page. Sucuri published up a great write up about the Darkleech infection mechanism on the server side.

We are currently observing a considerable rise in websites being compromised due to this attack. The infected websites redirect to a version of the Blackhole Exploit Kit v2. We identified the following sites being compromised in the past week within observed Zscaler traffic:
 
202.218.253.214
bazzillbasics.com
bigfishermanseafood.com
clasificados.zocalo.com.mx
colima.vendidoalas3.com.mx
embarque.com
kimindschool.com
mapas.guiaroji.com.mx
mediagazer.com
middleschoolbook.com
mpsrail.co.uk
new.schoolnotes.com
newsofthepast.com
norwalkmedicalgroup.com
reports.valeopartners.com
studioartsdallas.com
unit2.euro2day.gr
v2.wallpaperzip.com
www.264thegrill.com
www.acadianabusiness.com
www.alancristea.com
www.aqua-medic.com
www.aquapurawater.ca
www.backroads.org
www.beachcamsusa.com
www.bsgco.com
www.chicagohomeestates.com
www.compactpowercenter.com
www.companyrescue.co.uk
www.eastpak.com
www.euro2day.gr
www.flowersandservices.com
www.fortworthzoocoupons.net
www.freedieting.com
www.gite-mer.com
www.grandlifehotels.com
www.jackshainman.com
www.momentumtraining.biz
www.nevadasecuritylicense.com
www.qualityenvironmental.co.uk
www.ranabroadband.net
www.rentalsource.com
www.servo2go.com
www.superiorvalves.com
www.theacme.com
www.trulia.com
www.vbbound.com
www.visit-montenegro.com
www.volpifoods.com

The following list shows the list of IPs and websites observed serving the Blackhole Exploit kit landing page.
 
129.121.101.227
129.121.104.90
129.121.108.220
129.121.113.217
129.121.120.211
129.121.168.226
129.121.194.244
129.121.199.90
129.121.201.230
129.121.45.181
129.121.55.185
129.121.61.189
129.121.65.124
129.121.85.166
143.95.13.5
143.95.1.6
143.95.17.5
143.95.1.8
143.95.2.6
143.95.7.6
149.47.113.128
149.47.149.225
149.47.154.201
149.47.205.179
149.47.21.162
149.47.218.128
149.47.22.176
149.47.225.171
149.47.245.128
173.233.133.30
173.233.133.43
173.233.134.138
173.244.221.89
174.37.210.122
174.37.210.127
208.166.50.27
208.43.236.169
208.69.183.138
208.69.183.205
209.126.248.63
216.154.208.125
64.247.176.220
64.247.180.106
65.75.145.203
65.75.168.252
65.75.174.197
65.75.176.120
65.75.184.70
65.75.185.243
65.75.188.211
65.75.190.59
67.213.213.23
69.89.4.92
69.89.5.224
69.89.9.47
adanakenthaber.com
aftabcurrency.eu
akmusik.org
alzagh.com
aminexchange.net
austriawanderer.com
basquet-atletico.lendanearlongisland.com
boomchoon.co.uk
budgettyremaintenance.co.uk
cariparker.co.uk
cinselmarket.org
countryandleisureclothing.co.uk
egyptwanderer.com
elkadytrans.com
firstbytemicro.com
foryouroccasions.co.uk
georgemediahouse.co.uk
gheep.co.uk
gshcontracts.co.uk
hcxmy.com
hungarywanderer.com
lcwceramics.co.uk
leventerkekkuaforu.com
lovehost.co.uk
moneystopltd.co.uk
mpsrail.co.uk
mtlssc.org.uk
ondervreemdevlag.nl
partitioningsoutheast.co.uk
platjadarovirtual.com
rika.100pixels.co.uk
sms.nozom.com.eg
teddyrepair.co.uk
upminstercontainers.com
wallpapers.animalz.gr
wcwr.co.uk

The following pattern in the URL was observed:

\/[a-z0-9]{16,32}\/q.php

We also identified the following user-agent strings when the redirection was made:
 
Java/1.6.0_26
JNLP/1.7.0 javaws/10.21.2.11 () Java/1.7.0_21
JNLP/6.0 javaws/1.6.0_03 (b05) Java/1.6.0_03
JNLP/6.0 javaws/1.6.0_26 (b03) Java/1.6.0_26

The user agents found while visiting these infected sites were mainly: MSIE_7_X, MSIE_8_X and MSIE_9_X.

Upon visiting an infected website, it redirects to a standard BEK v2 landing page as shown below.
 

The exploit code targets vulnerabilities in multiple plugins including Adobe PDF and Java when run on IE, causing the attacker to load malicious code in the context of the application. When deobfuscating the PDF exploit, we can see the final URL used for redirection, as shown in the image below. However, this URL was not accessible (404 error response), at the time of writing, hence it was not possible to retrieve the malicious binary file.
 
 
 

Upon revisiting some of these compromised websites, it was found that the page was no longer serving the injected code. This provides a clue. The attackers probably choose random sites running the Apache Webservers that are vulnerable to the dark leech exploit and infect them only for a brief period of time and then clean them up. Hence tracking Darkleech infections is can be a challenging task. For further details on the vulnerability and how the server can be patched, please refer to CVE-2012-1557.
 

Learn more about Zscaler.