Darkleech Campaign Escalates To Breach Thousands More Apache Servers

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Tens of thousands of IPs are serving up the Blackhole exploit kit thanks to Darkleech

More details around the Darkleech malware strikes on Apache web servers have emerged, showing the scope of the campaign is far greater than initially thought.

Otherwise known as the Home Campaign, the attacks stretch back to at least February 2011, infecting Apache web servers run by CPanel and Plesk software with the Darkleech malware.

Apache server attacks

That malicious software adds an iFrame to wesbites hosted by the infected Apache server, which then serves up the Blackhole exploit kit to visitors.

The kit searches for flaws on the victims’ machines and exploits them to infect users with malware. This is known as a drive-by download attack. The diagram below shows the infection method:

darkleech

The malware eventually served up include Pony, which looks to steal login credentials for websites and email accounts, and Nymaim, a ransomware that locks people out of their machines and demands a fee to unlock them.

ESET suggested Pony could have been used to get credentials for the infected servers. Recent Trustwave research found a Pony botnet had acquired 650,000 website credentials.

As noted by security firm ESET, it was initially thought around 2000 IP addresses were serving Blackhole as a result of Darkleech infection, but there are now thousands more.

“The situation actually got much, much worse. Our telemetry data shows that more than 40,000 different IP addresses and domains have been used so far,” ESET said.

“Back in May, 15,000 of those IPs and domains were actively serving Blackhole at the same time.”

ESET found that one network was hit particularly badly, where more than 5000 IP addresses in the network 129.121.0.0/16 were used in the Home Campaign.

Darkleech was installed on web servers initially as hackers compromised CPanel and Plesk software used by many hosting companies.

As noted last month, hackers were actively exploiting a flaw in Plesk, software created by Parallels, which affected older versions. In June, another malware, called Cdorked, was found running on hundreds of servers using the cPanel hosting control panel.

“This malware campaign has many similarities with the CDorked campaign we discussed back in April. Malicious modification of server binaries seems to be a very a popular trend for malware distribution,” ESET said in a blog post.

“Given how successful these campaigns have been so far at redirecting massive amounts of visitors it is hardly surprising to see these abuses on the increase.”

Think you know security? Test yourself with our quiz!