The pseudo-Darkleech campaign is one of the most notorious and ongoing attacks of recent years, making use of major exploit kits to deliver primarily different strains of ransomware.
The campaign has been a bit of chameleon since it was disclosed in March 2015 by researchers at Sucuri. The latest bit of its shape shifting involves the elimination of large blocks of injected script that had become a hallmark of pseudo-Darkleech attacks since February.
“My guess is the injected code was changed to avoid detection. The functionality is still the same,” said Brad Duncan, an incident handler with the SANS Internet Storm Center. “Whether before or after the change, the script is merely designed to send the user’s computer to an EK landing page behind-the-scenes.”
The large block of code ranged between 12,000 and 15,000 characters, most of them numeric, Duncan said. Patterns of code in these attacks have constantly been updated to throw researchers and signature-based defenses off course. In February, the numbers were introduced and at first were separated by spaces, but that soon changed to commas, then semicolons, and eventually asterisks.
On Friday, things changed again when the chunk of numbers was gone and the start of the injected code had changed dramatically, Duncan wrote in a report published last week on the SANS ISC diary. Duncan published before and after snippets on Pastebin.
Duncan said that the large block of numbers helped obfuscate the code, but this was cracked in April.
“But now the pseudo-Darkleech campaign is using a fairly straightforward iframe without any obfuscation,” Duncan wrote.
The changes were spotted last Thursday on a compromised site called gennaroespositomilano[.]it. The site was infected with the Neutrino Exploit Kit moving CryptXXX ransomware, and Duncan said all of the associated behaviors have remained the same, including decryption instructions, despite the change in script. Regardless, any signature-based detections will have to be updated.
“If they were set up to detect the old script, they’ll have to change the signature to detect the new style of injected script,” Duncan said.
Pseudo-Darkleech is an offshoot of the Darkleech campaigns of 2012 that targeted Apache servers and served up the Blackhole Exploit Kit. By late 2013 after the arrest of Blackhole author Paunch, Darkleech took on several iterations before similar script was used against sites running on Microsoft’s IIS webserver and not Apache, thus the pseudo-Darkleech moniker courtesy of Sucuri.
In early 2014, pseudo-Darkleech was pointing to sites infected by the Angler Exploit Kit that were pushing CryptoWall and other early ransomware variants. Angler Exploit Kit activity has all but disappeared in recent weeks since the arrest of the gang behind the Lurk malware and criminal gangs have begun moving operations to the Neutrino Exploit Kit.
By September 2015, the keepers of pseudo-Darkleech began obfuscating script in order to hamper detection before adding the large block of numbers in February. That pattern continues today.
Duncan added that he expects another change forthcoming. In CryptXXX samples coming from these campaigns, Duncan says the prefix for domains hosting decryption instructions are 2mpsasnbq5lwi37r.
“I expect these domains will change sometime within the next week or so,” he wrote.