Introduction

Im used to seeing large blocks of code containing 12,000 to 15,000 characters associated with the pseudo-Darkleech campaign." />
Shown above: Start of pseudo-Darkleech injected code from a compromised website.

Its a very distinctive pattern, and its easy to find if you know what youre looking for. But later in the week, things changed. Now I" />
Shown above: Start of pseudo-Darkleech injected code from the same website three days later.

Here are Pastebin links for the code before and after the change:

This is an interesting development that deserves more attention.

Background

Ive investigated the Darkleech campaign since Sucuri started calling it pseudo-Darkleech back in March 2015, and Ive tracked how script associated with this campaign has evolved over time [1]. Earlier this year, pseudo-Darkleech started distributing CryptXXX ransomware [2]." />
Shown above:" />
Shown above: A slide from my presentation about exploit kits.

ruary 2016, injected code from the pseudo-Darkleech campaign has been a large block of highly-obfuscated script. Its often more than 12,000 characters long. Back in April 2016, Daniel Wesemann (another ISC handler) posted a two-part diary on how to decode this obfuscated pseudo-Darkleech script [6, 7].">Details

I first noticed the change on Thursday, 2016-06-30 while reviewing compromised websites [8]. Traffic from compromised site gennaroespositomilano[.]it had the typical large block of pseudo-Darkleech injected code on Tuesday [9]. But the same compromised website had much different injected code three days later [10].

Decryption instructions for CryptXXX ransomware sent by the pseudo-Darkleech campaign have remained consistent, despite the recent change of pattern for the campaigns injected script.

CryptXXX decryption instructions use different domains for different campaigns. For example, domains used by CryptXXX samples from the EITest campaign are consistently different than domains used by CryptXXX samples from the pseudo-Darkleech campaign.

Since 2016-06-21, the pseudo-Darkleech CryptXXX samples Ive collected have used 2mpsasnbq5lwi37r as the prefix for tor domains in the decryption instructions." />
Shown above: Domains from current pseudo-Darkleech CryptXXX decryption instructions.

Final words

EK-based campaigns usually evolve through small changes. In this case, the pseudo-Darkleech campaign only changed its injected script.">---

Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] http://researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/
[2] https://isc.sans.edu/forums/diary/Angler+Exploit+Kit+Bedep+and+CryptXXX/20981/
[3] https://isc.sans.edu/forums/diary/Neutrino+EK+and+CryptXXX/21141/
[4] https://www.proofpoint.com/us/threat-insight/post/Neutrino-Exploit-Kit-Distributing-Most-CryptXXX
[5] http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-angler-exploit-kit-part-1-exploit-kit-fundamentals/
[6] https://isc.sans.edu/forums/diary/Decoding+PseudoDarkleech+1/20969/
[7] https://isc.sans.edu/forums/diary/Decoding+PseudoDarkleech+Part+2/20975/
[8] http://www.malware-traffic-analysis.net/2016/06/30/index.html
[9] http://www.malware-traffic-analysis.net/2016/06/28/index.html
[10] http://www.malware-traffic-analysis.net/2016/07/01/index.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Privacy advocates take note: Android's full-disk encryption just got dramatically easier to defeat on devices that use chips from semiconductor maker Qualcomm, thanks to new research that reveals several methods to extract crypto keys off of a locked handset. Those methods include publicly available attack code that works against an estimated 37 percent of enterprise users.

A blog post published Thursday revealed that in stark contrast to the iPhone's iOS, Qualcomm-powered Android devices store the disk encryption keys in software. That leaves the keys vulnerable to a variety of attacks that can pull a key off a device. From there, the key can be loaded onto a server cluster, field-programmable gate array, or supercomputer that has been optimized for super-fast password cracking.

The independent researcher that published the post included exploit code that extracts the disk encryption keys by exploiting two vulnerabilities in TrustZone. TrustZone is a collection of security features within the ARM processors Qualcomm sells to handset manufacturers. By stitching together the exploits, the attack code is able to execute code within the TrustZone kernel, which is an enclave dedicated for sensitive operations such as managing cryptographic keys and protecting hardware.

Read 12 remaining paragraphs | Comments

 
KL-001-2016-003 : SQLite Tempdir Selection Vulnerability
 
[security bulletin] HPSBGN03626 rev.1 - HPE Service Manager using OpenSSL, Remote Disclosure of Information Logjam
 
Logic security flaw in TP-LINK - tplinklogin.net
 
Executable installers are vulnerable^WEVIL (case 34): Microsoft's vs-community-*.exe susceptible to DLL hijacking
 
[CVE-2016-5728] Double-Fetch Vulnerability in Linux-4.5/drivers/misc/mic/host/mic_virtio.c
 
[CVE-2016-6130] Double-Fetch Vulnerability in Linux-4.5/drivers/s390/char/sclp_ctl.c
 
CA20160627-01: Security Notice for Release Automation
 
Internet Storm Center Infocon Status