I wrote about Darkleech last year, and one of questions remain – among anti-forensics features of it, that seller declared, were:
– frame delivered to unique users only, no frame on repeat.
So – How it looks like for victim and how implemented?
Since than Linux/Chapro.A was posted in SecLists and analysed by Kaspersky and ESET.
Afterwards Eric Romang provided some details, that it appear to be version of Darkleech module.
And here it appear again: UnixFreaxJP blog report about massive attack on Japanese segment of Internet.
Well, It’s time to see, is it DarkLeech and how anti-forensics implemented there from client PoV 🙂
Ok. Let’s see on any of servers that in list:
Stage 1. Victim request the infected page:
if You analyse the page retrieved, it clean. All content is legit, or at least not malicious…
But after full analysis, let me cheat a bit and draw Your attention to Date and Set-Cookie fields.
Well, at 11:40:12 GMT request was sent to Apache server. And Apache respond with Cookie, that have PHP_SESSION_ID and Expiration date in 5 minutes...
ok 🙂 move on.
Stage 2. infector appear:
I hope It’s clear to You, that browsing a web go as SET of HTTP requests. So – second HTTP request come to Apache server already with Cookie value set:
And response is:
Sorry for huge pic, but You have to see it 🙂
Well, what we have?
Red line – injected code. iframe that forward victim to BHEK2 in this case…
See pic from Eric Romang’s blog – here [second from top]
Structure is very similar, IMHO. So I think it is a Darkleech.
Now – let’s see, how it works 🙂
Green line – Cookie updated. Now it have PHP_SESSION_ID with -1 value, that will expire only in 7 days.
Stage 3. Full picture:
Ok, now we can combine all that knowledge in one algorithm, Darkleech coders use for one-time infection attempt per client:
1. Victim visit website, provided with Cookie, that:
– have expiration date in 5 minutes
– have ID unique per client
2. Second request victim pass Cookie value to server with Darkleech attached.
– Darkleech respond with altered webpage, included malicious iframe.
– In addition, DarkLeech set Cookie ID to -1 and “mark” this client for 7 days from been infected again. Even if it IP changes, because cookie remain for 7 days 🙂
3. Any following requests from same IP appear to be clean for at least 60 mins. [still investigating time limit]. Looks like IP also “marked” in some local list.
This is how it looks like from victim side..
Thx @unixfreaxjp for original path and been good friend. 🙂
Thx Eric Romang for his blog
Thx to all researchers, that You keep head up and fight against malware 🙂