{"id":49898,"date":"2016-05-27T10:56:31","date_gmt":"2016-05-27T17:56:31","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=49898"},"modified":"2024-02-19T22:16:49","modified_gmt":"2024-02-20T06:16:49","slug":"seeing-darkleech-obfuscation-quick-hack-iframes","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/seeing-darkleech-obfuscation-quick-hack-iframes\/","title":{"rendered":"Seeing Through Darkleech Obfuscation: a Quick Hack to Iframes"},"content":{"rendered":"

This blog post was written by Kalpesh Mantri.<\/em><\/p>\n

Darkleech is an Apache module on the dark web that distributes malware. This tool, which appeared in 2012, was first used to infect many Apache servers and later sites running Microsoft IIS. The campaign infecting IIS sites was named pseudo-Darkleech\u00a0because\u00a0it resembles the Apache infector module. (In this post, we will use the term\u00a0Darkleech<\/em>\u00a0to refer to both Apache and IIS campaigns.)<\/p>\n

In early 2012, Darkleech scripts redirected users and led them to Blackhole exploit kit pages. After the Blackhole kit disappeared in October 2013, Darkleech moved to Fiesta exploit kits. From mid-2015 to today, Darkleech scripts switched occasionally between Neutrino and Angler exploit kits to deliver ransomware. Darkleech mostly redirects to Angler landing pages. (A\u00a0detailed history of Darkleech can be found\u00a0here<\/a>.)<\/p>\n

 <\/p>\n

Finding Darkleech\u00a0<\/strong><\/p>\n

Since late 2015, Darkleech scripts have evolved drastically. They are now highly obfuscated, and we can’t\u00a0easily determine the URLs they\u00a0redirect to.<\/p>\n

In this post we offer a quick hack for security researchers to find iframes and redirecting URLs from these heavily obfuscated scripts, which are injected into web pages. We\u00a0will focus only on finding the iframe and URL; we will not discuss the\u00a0functionality of the scripts or how they\u00a0work.\u00a0This hack does not require any special security tools. Using only Notepad and a browser (Firefox in this\u00a0case), we can see the final iframe and its redirecting URL. This technique makes use of the browser’s \u201calert box\u201d (message box) feature.<\/p>\n

Warning<\/strong>: Do not directly run these scripts on a machine. Use VirtualBox or another virtual machine instead. Also, take caution while making use of the URLs in these scripts. They are usually exploit kit landing pages, which if active exploit vulnerabilities in users\u2019 systems and download malware (mostly ransomware) to infect your system.<\/p>\n

 <\/p>\n

Find the sample<\/strong><\/p>\n

For our demonstration, we will use a\u00a0Darkleech sample we found on VirusTotal that has a\u00a0low detection rate.<\/p>\n

SHA-256: 7ea431ca9980d5f1d92fc105cd89bc897774bbe970db5a8a32dcd6e73ef400ae<\/a><\/p>\n

\"b1_1\"<\/p>\n

This sample has a block of data between <span> tags. The data in this block is highly useful for\u00a0decoding the\u00a0final iframe. This data block is decoded using a\u00a0script that is present just below the <span> block. This heavily obfuscated script lies within the <script> block of the HTML page:<\/p>\n

\"b1_2\"<\/p>\n

 <\/p>\n

Follow these steps<\/strong><\/p>\n

Near the\u00a0end of the script, you will find a function call with the\u00a0following format:<\/p>\n