Connect with us

Hi, what are you looking for?



Pseudo-Darkleech Remains Prominent Distributer of Ransomware

The pseudo-Darkleech campaign, one of the long-standing prominent distributers of ransomware, is expected to remain strong in 2017, after going through a series of important changes last year, Palo Alto Networks researchers warn.

The pseudo-Darkleech campaign, one of the long-standing prominent distributers of ransomware, is expected to remain strong in 2017, after going through a series of important changes last year, Palo Alto Networks researchers warn.

Throughout 2016, the campaign’s operators showed increased flexibility, as they managed to adapt to the multiple changes that took place in the exploit kit (EK) and ransomware landscapes. The actors transitioned to new ransomware families and moved to new EKs when those in use went down, the security researchers revealed.

Regardless of these changes, however, the infection pattern associated with the pseudo-Darkleech campaign remains the same. When a victim visits a compromised website with a malicious injected script, they are redirected to an EK landing page designed to fingerprint the computer to find vulnerable applications and exploit them, after which the machine is infected with ransomware.

The campaign abuses legitimate websites that have been compromised and injected with a script that is “a large block of heavily-obfuscated text that averaged from 12,000 to 18,000 characters in size.” In July, however, the script no longer used obfuscation but “became a straight-forward iframe” with a span value that puts it outside the viewable area of the browser’s window.

In some instances, the pseudo-Darkleech campaign was observed using a redirection gate between the compromised website and the EK landing page, but the Palo Alto security researchers reveal that the cases where the injected script leads directly to the EK landing page are more frequent.

In the beginning of 2016, the campaign was using the Angler EK to deliver CryptoWall ransomware, and continued to use this EK until June, although it switched to TeslaCrypt and then CryptXXX as the final payload. Starting June, the campaign moved to Neutrino and continued to drop CryptXXX, but switched to CrypMIC in August. In September, the operators moved to the RIG EK to deliver CrypMIC, but then switched to the Cerber ransomware.

What these changes revealed was the pseudo-Darkleech operator’s ability to quickly adapt to major threat landscape changes to ensure they continue to be relevant and to keep the attack levels high.

Advertisement. Scroll to continue reading.

The Angler EK disappeared in June after 50 people were arrested in Russia in association with the use of Lurk malware, and it didn’t take long for the pseudo-Darkleech campaign to move on to Neutrino. What’s more, the campaign switched to RIG soon after Neutrino’s activity came to a near stop in September, Palo Alto security researchers note.

Changes in the malicious payload too can be associated with the rise of several ransomware families. Pseudo-Darkleech kicked off 2016 dropping CryptoWall, but moved to TeslaCrypt in February. In April, when TeslaCrypt closed shop, the campaign started distributing CryptXXX, but switched to CrypMIC in August. For the past three months, the campaign has been distributing the Cerber ransomware, which has been increasing activity as of late.

“With the recent rise of ransomware, we continue to see different vectors used in both targeted attacks and wide-scale distribution. EKs are one of many attack vectors for ransomware. The pseudo-Darkleech campaign has been a prominent distributer of ransomware through EKs, and we predict this trend will continue into 2017. Domains, IP addresses, and other indicators associated with this campaign are constantly changing,” the security researchers conclude.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...