The pseudo-Darkleech campaign, one of the long-standing prominent distributers of ransomware, is expected to remain strong in 2017, after going through a series of important changes last year, Palo Alto Networks researchers warn.
Throughout 2016, the campaign’s operators showed increased flexibility, as they managed to adapt to the multiple changes that took place in the exploit kit (EK) and ransomware landscapes. The actors transitioned to new ransomware families and moved to new EKs when those in use went down, the security researchers revealed.
Regardless of these changes, however, the infection pattern associated with the pseudo-Darkleech campaign remains the same. When a victim visits a compromised website with a malicious injected script, they are redirected to an EK landing page designed to fingerprint the computer to find vulnerable applications and exploit them, after which the machine is infected with ransomware.
The campaign abuses legitimate websites that have been compromised and injected with a script that is “a large block of heavily-obfuscated text that averaged from 12,000 to 18,000 characters in size.” In July, however, the script no longer used obfuscation but “became a straight-forward iframe” with a span value that puts it outside the viewable area of the browser’s window.
In some instances, the pseudo-Darkleech campaign was observed using a redirection gate between the compromised website and the EK landing page, but the Palo Alto security researchers reveal that the cases where the injected script leads directly to the EK landing page are more frequent.
In the beginning of 2016, the campaign was using the Angler EK to deliver CryptoWall ransomware, and continued to use this EK until June, although it switched to TeslaCrypt and then CryptXXX as the final payload. Starting June, the campaign moved to Neutrino and continued to drop CryptXXX, but switched to CrypMIC in August. In September, the operators moved to the RIG EK to deliver CrypMIC, but then switched to the Cerber ransomware.
What these changes revealed was the pseudo-Darkleech operator’s ability to quickly adapt to major threat landscape changes to ensure they continue to be relevant and to keep the attack levels high.
The Angler EK disappeared in June after 50 people were arrested in Russia in association with the use of Lurk malware, and it didn’t take long for the pseudo-Darkleech campaign to move on to Neutrino. What’s more, the campaign switched to RIG soon after Neutrino’s activity came to a near stop in September, Palo Alto security researchers note.
Changes in the malicious payload too can be associated with the rise of several ransomware families. Pseudo-Darkleech kicked off 2016 dropping CryptoWall, but moved to TeslaCrypt in February. In April, when TeslaCrypt closed shop, the campaign started distributing CryptXXX, but switched to CrypMIC in August. For the past three months, the campaign has been distributing the Cerber ransomware, which has been increasing activity as of late.
“With the recent rise of ransomware, we continue to see different vectors used in both targeted attacks and wide-scale distribution. EKs are one of many attack vectors for ransomware. The pseudo-Darkleech campaign has been a prominent distributer of ransomware through EKs, and we predict this trend will continue into 2017. Domains, IP addresses, and other indicators associated with this campaign are constantly changing,” the security researchers conclude.