Darkleech – malicious Apache mod anti-forensics – client-side.


I wrote about Darkleech last year, and one of questions remain  – among anti-forensics features of it, that seller declared, were:

– frame delivered to unique users only, no frame on repeat. 

So – How it looks like for victim and how implemented?

Since than Linux/Chapro.A was posted in SecLists and  analysed by Kaspersky and ESET.

Afterwards Eric Romang provided some details, that it appear to be version of Darkleech module.

And here it appear again: UnixFreaxJP blog report about massive attack on Japanese segment of Internet.

Well, It’s time to see, is it DarkLeech and how anti-forensics implemented there from client PoV 🙂

Ok. Let’s see on any of servers that in list:

Stage 1. Victim request the infected page:


if You analyse the page retrieved, it clean. All content is legit, or at least not malicious…

But after full analysis, let me cheat a bit and draw Your attention to Date and Set-Cookie fields.

Well, at 11:40:12  GMT request was sent to Apache server. And Apache respond with Cookie, that have PHP_SESSION_ID and Expiration date in 5 minutes...

ok 🙂 move on.


Stage 2. infector appear:

I hope It’s clear to You, that browsing a web go as SET of HTTP requests. So – second HTTP request come to Apache server already with Cookie value set:

Cookie: PHP_SESSION_ID=1345283934

And response is:



Sorry for huge pic, but You have to see it 🙂

Well, what we have?

Red line – injected code. iframe that forward victim to BHEK2 in this case…

See pic from Eric Romang’s blog – here [second from top]

Structure is very similar, IMHO. So I think it is a Darkleech. 

Now – let’s see, how it works 🙂

Green line – Cookie updated. Now it have PHP_SESSION_ID with -1 value, that will expire only in 7 days. 


Stage 3. Full picture:

Ok, now we can combine all that knowledge in one algorithm, Darkleech coders use for one-time infection attempt per client: 

1. Victim visit website, provided with Cookie, that:

    – have expiration date in 5 minutes

    – have ID unique per client

2.  Second request victim pass Cookie value to server with Darkleech attached.

    – Darkleech respond with altered webpage, included malicious iframe.

    – In addition, DarkLeech set Cookie ID to -1 and “mark” this client for 7 days from been infected again. Even if it IP changes, because cookie remain for 7 days 🙂

3.  Any following requests from same IP appear to be clean for at least 60 mins. [still investigating time limit]. Looks like IP also “marked” in some local list. 

       : dle3

This is how it looks like from victim side..


Thx @unixfreaxjp for original path and been good friend. 🙂

Thx Eric Romang for his blog

Thx to all researchers, that You keep head up and fight against malware 🙂

Stay Safe


Leave a comment