Change is inevitable when it comes to businesses and products and the same is true when it comes to exploit distribution.
After going through a series of changes, the pseudo-Darkleech campaign will continue to distribute ransomware in a robust manner in the coming year, researchers said.
Throughout last year, the campaign’s operators showed increased flexibility, as they adjusted to changes that took place in the exploit kit (EK) and ransomware landscapes, researchers at Palo Alto Networks said in a blog post.
It is all about agility and the operation was able to move to new ransomware families and new exploit kits when others went down, Palo Alto researchers said.
Successful infections by the pseudo-Darkleech campaign have generally followed a set sequence of events, the researchers said. This happens regardless of the exploit kit used or the payload delivered. The sequence is:
• Step 1: Victim host views a compromised website with malicious injected script
• Step 2: The injected script generates an HTTP request for an EK landing page
• Step 3: The EK landing page determines if the computer has any vulnerable browser-based applications
• Step 4: The EK sends an exploit for any vulnerable applications (for example, out-of-date versions of Internet Explorer or Flash player)
• Step 5: If the exploit is successful, the EK sends a payload and executes it as a background process
• Step 6: The victim’s host is infected by the malware payload
When a victim visits a compromised website with a malicious injected script, they end up redirected to an exploit kit landing page designed to fingerprint the computer to find vulnerable applications and exploit them, after which the computer ends up infected with ransomware.
The campaign abuses legitimate websites that have been compromised and injected with a script that is “a large block of heavily-obfuscated text that averaged from 12,000 to 18,000 characters in size.” In July, however, the script no longer used obfuscation but “became a straight-forward iframe” with a span value that puts it outside the viewable area of the browser’s window.
In some instances, the pseudo-Darkleech campaign used a redirection gate between the compromised website and the EK landing page, but Palo Alto researchers said the cases where the injected script leads directly to the EK landing page are more frequent.
By October 2016, pseudo-Darkleech switched to distributing Cerber ransomware, and it has continued sending Cerber as of early December 2016, Palo Alto researchers said.
The following is a summary of EKs and payloads used by the pseudo-Darkleech campaign in 2016:
• Jan 2016: Angler EK to deliver CryptoWall ransomware
• Feb 2016: Angler EK to deliver TeslaCrypt ransomware
• Apr 2016: Angler EK to deliver CryptXXX ransomware
• Jun 2016: Neutrino EK to deliver CryptXXX ransomware
• Aug 2016: Neutrino EK to deliver CrypMIC ransomware
• Sep 2016: Rig EK to deliver CrypMIC ransomware
• Oct 2016: Rig EK to deliver Cerber ransomware
What these changes revealed was the pseudo-Darkleech operator’s ability to quickly adapt to major threat landscape changes to ensure they continue to be relevant and to keep the attack levels high, the researchers said.