UPDATE – A new Apache module, Linux/Chapro.A, is making the rounds, injecting malicious content including a popular Zeus variant into web pages.
The module was discussed in a blog on ESET’s Threat Blog by the company’s Security intelligence Program Manager, Pierre-Marc Bureau.
According to the post, an iframe injection ultimately installs a version of Zeus, Win32/Zbot, but also points to a Lithuanian Sweet Orange exploit kit landing page.
The final Zeus payload targets users who frequent European and Russian banking foundations and tries to swindle unsuspecting victims into giving up their account information, including their PIN code and CVV code information.
The module also has a stealthy defense component, making it harder for system administrators to find the module during malware scans. The module only serves up malicious content under the right conditions. Linux/Chapro.A checks active SSH sessions on the Linux system its running but doesn’t deploy malware if a user is on a website using any of the SSH connected IPs. Linux/Chapro.A also only serves up its malware once, electing not to deploy it if a browser has already been infected, visited a malicious site or has been served a cookie.
“If a user visits an infected website twice from the same IP address; it will only receive the malicious content once. This provides a second, additional method to make the path of infection more difficult to determine,” reads ESET’s write-up.
The security firm adds that given the spread of the attack and its poor detection rates, it’s “very hard for law enforcement agencies to investigate and mitigate,” hinting that the module’s creators may have collaborated with another group to popularize the exploit kit only to sell the infected computers to a group running a Win32/Zbot botnet.
David Harley, a Senior Research Fellow with ESET clarified the company’s blog post on Linux/Chapro.A earlier this morning, referencing a post from the UnmaskParasites blog, “Malicious Apache Module Injects Iframes,” from earlier this fall. It turns out code from a module discussed in September bares striking similarities to the code analyzed by ESET. Security researcher Eric Romang notes the resemblance on his blog, acknowledging the module ESET has been calling Linux/Chapro.A also goes by the name Darkleech and has been distributed in Russian underground forums for months. Romang even compared near-identical strings of code from both Linux/Chapro.A and Darkleech to support his theory. “We were not aware of this material before publishing this blog,” Harley wrote this morning, connecting the two pieces of research.