Darkleech now delivering ransomware

Darkleech, which it knows as Chapro, was discussed by ESET last December. Now the anti-malware company has put some figures and details to a specific Darkleech campaign (which it calls the Home Campaign) that has been going on since at least February 2011. Since then, more than 40,000 domains and IP addresses have been compromised and used; and in May 2013 there were 15,000 active Home Campaign websites.

The Home Campaign uses, says ESET researcher Sébastien Duquette, "a modified variant of Darkleech to direct visitors to the Blackhole exploit kit." It starts with the compromise of an Apache webserver with the Darkleech trojan. When a user visits the site, Darkleech injects an iFrame which loads the Blackhole exploit kit from a malicious URL. Blackhole then seeks to compromise the user's PC. "If the exploitation is successful multiple malware components are downloaded on the computer including Pony Loader, Nymaim and Sirefef [aka ZeroAccess]."

Pony is a botnet. Sirefef is a rootkit. But it's Nymaim, ransomware, that is the most immediately visible effect. It locks the user's PC and demands a payment for its release, with the precise details dependent on the geographic location of the user. In the example quoted by ESET, the user receives a screen purporting to be from the FBI and claiming that illegal activity (such as viewing child pornography) has been monitored and caused the lockdown. A 'fine' of $300 is payable for its release.

ESET believes that the Darkleech infection is effected by first "compromising the CPanel and Plesk (control) panels used by many web hosting companies to manage their networks and sometimes control hundreds or thousands of websites." What it doesn't know is how the control panels are first compromised. 

"We do not know at this time how access to the servers is initially obtained," writes Duquette. "It might simply be through stolen passwords as the Pony Loader trojan contains code to steal credentials for protocols such as FTP and HTTP."

In fact, Trustwave had earlier reported on the efficiency of Pony's password stealing capabilities. On 30 June, researcher Anat Davidi reported that Trustwave had located and was monitoring a Pony C&C server. "This Pony," she said, "was a particularly diligent one and within a few days hundreds of thousands of credentials were stolen from its victims." A total of 650,000 website credentials had been stolen, with Facebook, Yahoo and Google the leading victims. A further 17,000 email accounts were compromised, and 7000 FTP accounts.

If ESET is correct, the Home Campaign is seeding Pony botnets which in turn provide stolen credentials to spread the Home Campaign. "It’s a dangerous world out there," says Davidi about her Pony discovery; "this is a single instance of a single botnet controller showing some pretty big numbers… Watch yourselves, and keep an eye out for those random pwnies running around." It might just stop the Home Campaign getting worse.

What’s hot on Infosecurity Magazine?