FireEye has analysed the increasingly popular Darkleech hacker toolkit, which first appeared in August of last year, and which has been designed to infect Apache Web servers running the Linux operating system.
Whilst the toolkit was popular in the third quarter of 2012, ITSP notes, the signature of the code was soon picked up by IT security software vendors, meaning that the number of successful infections started to peter out.
Now it appears that a new variant of the toolkit has appeared, targeting users in the EMEA region and – according to Yogi Chandiramani, a systems engineer with FireEye – it is notable for its high attack volume and speed of campaign.
Typically, he says, this class of malware is delivered via drive-by downloads and, whilst the code infections have been bubbling away since May of this year, the toolkit started ramping up in the first week of September – with a surge of more than 2,600pc seen by his research team in a single week.
In terms of affected vertical market servers infected, he notes, the education and financial sectors lead the pack with more than 50pc of all Darkleech events seen in the EMEA region, with the UK, Qatar, Saudi Arabia and Turkey being the most affected by these campaigns.
Darkleech hits home
FireEye’s interest in Darkleech was raised after hackers used the malware to attack visitors to the security vendor’s careers Web site last month.
According to Darien Kindlund, FireEye’s manager of threat intelligence, the firm’s internal security, its IT operations team and a number of third-party partners quickly researched and discovered that the malicious code was not hosted directly on any FireEye Web infrastructure, but rather, it was hosted on a third-party advertiser system.
This was he says, linked via one of FireEye’s third-party Web services, adding that the company’s security team swiftly removed the links to the malware.
Kindlund notes that the FireEye Web site malvertisement infection was also serving up a Zeus variant, suggesting that the attack was a broad campaign designed to infect as many users as possible.