Researchers have discovered a new backdoor targeting Apache on cPanel-based servers. The attackers have replaced the Apache binary with a malicious one in such a way that it makes it nearly impossible to detect.
cPanel is webserver software that is used to control the creation and management of essential domain functions via a GUI. The backend of the server is controlled by WHM, while cPanel controls basic domain functions such as email, FTP, and directory access. Unlike normal LAMP installations, with cPanel, Apache is installed without package managers.
While the backdoor itself works the same way as previously reported, the attackers have modified this latest version with techniques that make it nearly impossible to detect. In fact, the previous methods of detection won’t show anything out of the ordinary.
The malware was first detected by Sucuri, a firm dedicated to fighting Web-based threats by focusing on defensive and preventive measures, as well as awareness. They turned to ESET for additional support, which yielded the details that uncovered just how far criminals have come in their efforts to hijack the core of Apache.
“When attackers get full root access to the server, they can do anything they want. From modifying configurations, to injecting modules and replacing binaries. However, their tactics are changing to make it even harder for admins to detect their presence and recover from the compromise,” commented Sucuri’s Daniel Cid.
The latest effort, ESET says, is “one of the most sophisticated Apache backdoors we have seen so far.”
“The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis. All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system.”
As mentioned, this latest variant of the Apache backdoor works like the previous ones. The goal of the attackers is to direct visitors to the Blackhole Exploit Kit, and it has an creative method of doing so. Victims are selected at random, and only selected once. Steps have also been taken by the attackers to avoid infecting or redirecting administrative users, in order to avoid detection. At the time of their first report, ESET said that hundreds of servers are impacted by this newest variant.
Sucuri’s full report is available online. Each security firm continues to explore the methods and tactics of the attackers, but the process is slow due to how the hijacked modules are avoiding detection.
In the meantime, ESET has created a tool in Python that will help administrators discover problems. Should it be needed, the output of the tool can be submitted for additional study. The Python script is available here.
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
