Today, we'll shed some light on Pseudo Darkleech.
Sometimes cyber attackers’ modifications attempting to evade detection don't have the desired outcome. In this case, the cyber threat actors responsible for infecting a vulnerable server couldn't hide their tracks from RiskIQ web crawlers.
Because users don't intentionally go to fraudulent pages hosting malware, cyber threat actors compromise legitimate websites with hidden scripts that initiate a network connection to other pages. One of these scripts is called Pseudo Darkleech, a name given to a variation of the well-known Darkleech web server backdoor and traffic hijacker that has been in active use for several years. Sites compromised by Pseudo Darkleech show a characteristic iframe injection that drives visitors to the intended malicious destination, typically a malicious traffic distribution system or a browser exploit kit.
But Pseudo Darkleech is well-known for shapeshifting and masking its appearance to researchers and signature-based defenses by modifying and obfuscating its inject code. Here, however, you can see that detection was not affected. The injected tag set is in the form of an iframe tag within a span tag that supplies negative (off-screen) positioning for the injected code:
Intermingled with the tags are random text strings (cvc, vhgz, nrfn, etc.), which the cyber attacker added recently with the purpose of randomizing the injection. It's been noted and confirmed by external parties that these text strings have broken various detection signatures.
But RiskIQ detection capabilities do not depend on string signature matches and were not fooled by the cyber attacker changes. The content was written flexible enough such that insertion of small bits of additional content amid key elements in the injection did not negatively affect the detection.
Our web crawling infrastructure was then able to take note of details like links, images, and dependent content to reconstruct the sequence that led to the RIG exploit kit found at “[http://rew.]INNOVATIONCONSULTANTS.COM/?w3eKdbGUJR7OCoA=l3SKfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-.”
When we look inside PassiveTotal, RiskIQ’s cyber threat research tool, we can see that the compromised website pointed to a malicious subdomain of a compromised DNS domain. We can enumerate any subdomains of that domain, and find out the IP(s) they resolve to:
In this case, it's only a single subdomain, "rew." It points to an IP address on which we can pivot to identify other hostnames that have hosted RIG exploit kit in the same timeframe:
Researchers can then use those newly discovered hostnames to audit logs to find related activity and add them to their blocklists in case of future reuse. They can also enumerate WHOIS details for the affected domains to identify the common registrant information and find related domains. Here, we can see two accounts in the above set of domains, "Debra Jaliman <MaryKayKrieger@gmail.com>" and "Michael Jaliman <email@example.com>" that have had their GoDaddy domain holder accounts compromised. It's likely that their full inventory of DNS domains are being abused for hosting crimeware.
With access to the tools and information above, RiskIQ customers know when they're vulnerable to cyber threats like Pseudo Darkleech and are automatically alerted to the presence of malicious redirectors in their environment. Contact us to learn more about this cyber threat and why Digital Risk Monitoring is a crucial part of your cyber security program.
Questions? Feedback? Email firstname.lastname@example.org to contact our research team.