Friend
Professional
- Messages
- 2,653
- Reaction score
- 845
- Points
- 113
The first signs of hacking appear only months after the attack.
Security researchers from the Chinese company QiAnXin have uncovered a sophisticated new malware campaign called DarkCracks, which uses compromised GLPI and WordPress websites to distribute malicious downloaders and manage infected devices. The campaign was identified after analyzing suspicious files sent to VirusTotal, where a complete lack of detection by antiviruses was noticed.
DarkCracks is a malware delivery and update system designed to exploit breached devices for the long term. Malicious components are introduced through public sites such as school portals, reservation systems, and urban transportation systems. Infected devices act as nodes for the further spread of malware and control over other infected devices.
The scheme of DarkCracks is complex and sophisticated: the attack begins by uploading malicious files to the target servers, which then download and run additional components. These components are responsible for collecting data from infected devices, supporting long-term access, and covert management. The attack mainly targets high-performance devices that can serve as command-and-control (C2) servers and download new versions of malicious files.
A feature of the DarkCracks campaign is its ability to disguise itself and its resistance to detection. Many malware components went undetected throughout the year. Despite the researchers' attempts to analyze all the elements, some parts of the system still remain undetected, in particular, the main component called Launcher, which is responsible for launching attacking processes.
One of the unique findings was the use of a decoy file named "김영미이력서" (summary in Korean), which suggests a targeted phishing effect on Korean users. This password-protected document was uploaded to one of the servers involved in the campaign.
The investigation began in June 2024, when the QiAnXin team detected suspicious traffic originating from an IP address belonging to the GLPI system. Subsequently, it was determined that the attackers used the compromised servers to download malicious files, hiding their activity through multi-layered cloaking and updating mechanisms.
Nevertheless, despite careful masking and the use of advanced data encryption techniques, QiAnXin was able to identify the components of the system and understand the basic logic of its operation. The malware delivery system works on the principle of three-level URL checking, which allows it to find backups of components in case the main server goes down.
Researchers warn IT system administrators to pay increased attention to suspicious processes on servers, especially systems related to IT assets and web content, such as GLPI and WordPress. To protect against such threats, it is recommended to regularly update your software, install security patches, and check logs for suspicious network traffic.
DarkCracks is another reminder that attackers continue to develop increasingly complex and hard-to-detect systems to hack and steal data, so protecting corporate networks requires constant improvement and care.
Source
Security researchers from the Chinese company QiAnXin have uncovered a sophisticated new malware campaign called DarkCracks, which uses compromised GLPI and WordPress websites to distribute malicious downloaders and manage infected devices. The campaign was identified after analyzing suspicious files sent to VirusTotal, where a complete lack of detection by antiviruses was noticed.
DarkCracks is a malware delivery and update system designed to exploit breached devices for the long term. Malicious components are introduced through public sites such as school portals, reservation systems, and urban transportation systems. Infected devices act as nodes for the further spread of malware and control over other infected devices.
The scheme of DarkCracks is complex and sophisticated: the attack begins by uploading malicious files to the target servers, which then download and run additional components. These components are responsible for collecting data from infected devices, supporting long-term access, and covert management. The attack mainly targets high-performance devices that can serve as command-and-control (C2) servers and download new versions of malicious files.
A feature of the DarkCracks campaign is its ability to disguise itself and its resistance to detection. Many malware components went undetected throughout the year. Despite the researchers' attempts to analyze all the elements, some parts of the system still remain undetected, in particular, the main component called Launcher, which is responsible for launching attacking processes.
One of the unique findings was the use of a decoy file named "김영미이력서" (summary in Korean), which suggests a targeted phishing effect on Korean users. This password-protected document was uploaded to one of the servers involved in the campaign.
The investigation began in June 2024, when the QiAnXin team detected suspicious traffic originating from an IP address belonging to the GLPI system. Subsequently, it was determined that the attackers used the compromised servers to download malicious files, hiding their activity through multi-layered cloaking and updating mechanisms.
Nevertheless, despite careful masking and the use of advanced data encryption techniques, QiAnXin was able to identify the components of the system and understand the basic logic of its operation. The malware delivery system works on the principle of three-level URL checking, which allows it to find backups of components in case the main server goes down.
Researchers warn IT system administrators to pay increased attention to suspicious processes on servers, especially systems related to IT assets and web content, such as GLPI and WordPress. To protect against such threats, it is recommended to regularly update your software, install security patches, and check logs for suspicious network traffic.
DarkCracks is another reminder that attackers continue to develop increasingly complex and hard-to-detect systems to hack and steal data, so protecting corporate networks requires constant improvement and care.
Source
