The hackers-for-hire group DarkCrewFriends has resurfaced and is targeting content management systems to build a botnet. The botnet can be marshalled into service to carry out a variety of criminal activities, including distributed denial-of-service (DDoS) attacks, command execution, information exfiltration or sabotage of an infected system.
Researchers said they observed DarkCrewFriends exploiting an unrestricted file upload vulnerability to compromise PHP servers that run websites. After compromise, a malicious PHP web shell is installed as a backdoor, which in turn sets up a connection to a command-and-control (C2) server using an Internet Relay Chat (IRC) channel, according to Check Point researchers Liron Yosefian and Ori Hamama.
“Many applications allow users to upload certain files to their servers, such as images or documents,” explained the researchers on Thursday in a blog post. “These files can put the system at risk if they are not properly handled. A remote attacker can send a specially crafted request to a vulnerable server and upload an unrestricted file while bypassing the server’s file extension check. This can eventually result in arbitrary code execution on the affected system.”
The exploit for the particular vulnerability being targeted is a zero-day that was created and published by DarkCrewFriends, according to Check Point. Threatpost has reached out for more information on the bug and other details of the campaign.
The web shell on the victim’s server defines either a GET parameter called osc or a GET parameter called anon, and executes a decompressed base64 string, according to the analysis. When researchers decoded the string, they discovered commands to download and execute two .AFF files. .AFF is a spellcheck dictionary file type used by Kingsoft WPS Office and Apache OpenOffice, which are free Office suite applications.
The infection chain. Source: Check Point
“When we downloaded both .AFF files, we saw that those files were actually PHP and Perl files,” the researchers explained. “The hidden file extension is used to avoid detection and confuse the issue.”
These files are both variants of the main malware module, which has a wide range of capabilities, including the ability to execute shell commands; gather information on running services on the host computer; download or upload FTP files; scan open ports; and conduct multiple types of DDoS attacks (including UDP and TCP DDoS, HTTP flood, IRC CTCP flood and more).
“The attackers create a network of botnets by using the IRC protocol to infect connected servers,” the analysts said. “This provides them with a more powerful attack tool and is also used in the traffic services they offer for sale.”
None of the malware binaries had been uploaded to Virus Total, they added.
“Following the various scenarios and attack methods…we conclude that the impact on the victim’s infrastructure can be severe and have significant repercussions,” Yosefian and Hamama concluded.
BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.
