The Apache Darkleech attack has been in the news for quite some time now. The first compromise that we identified in our transactions dates back to mid-March. This Darkleech exploit (aka Linux.Cdorked
) injects malicious redirections into a website that leads to a Blackhole exploit kit (BEK) landing page. Sucuri published up a great write up
about the Darkleech infection mechanism on the server side.
We are currently observing a considerable rise in websites being compromised due to this attack. The infected websites redirect to a version of the Blackhole Exploit Kit v2. We identified the following sites being compromised in the past week within observed Zscaler traffic:
The following list shows the list of IPs and websites observed serving the Blackhole Exploit kit landing page.
The following pattern in the URL was observed:
We also identified the following user-agent strings when the redirection was made:
JNLP/1.7.0 javaws/10.21.2.11 () Java/1.7.0_21
JNLP/6.0 javaws/1.6.0_03 (b05) Java/1.6.0_03
JNLP/6.0 javaws/1.6.0_26 (b03) Java/1.6.0_26
The user agents found while visiting these infected sites were mainly: MSIE_7_X, MSIE_8_X and MSIE_9_X.
Upon visiting an infected website, it redirects to a standard BEK v2 landing page as shown below.
The exploit code targets vulnerabilities in multiple plugins including Adobe PDF and Java when run on IE, causing the attacker to load malicious code in the context of the application. When deobfuscating the PDF exploit, we can see the final URL used for redirection, as shown in the image below. However, this URL was not accessible (404 error response), at the time of writing, hence it was not possible to retrieve the malicious binary file.
Upon revisiting some of these compromised websites, it was found that the page was no longer serving the injected code. This provides a clue. The attackers probably choose random sites running the Apache Webservers that are vulnerable to the dark leech exploit and infect them only for a brief period of time and then clean them up. Hence tracking Darkleech infections is can be a challenging task. For further details on the vulnerability and how the server can be patched, please refer to CVE-2012-1557