DarkCracks, an advanced malicious payload & upgrade framework utilizing hacked GLPI and WordPress sites as intermediaries

Sept. 4, 2024, 9:17 a.m.

Description

DarkCracks is a sophisticated malware framework that exploits compromised GLPI and WordPress sites as intermediaries for payload delivery and command and control. It collects sensitive information from infected devices, maintains long-term access, and uses them as nodes to control other devices or deliver malicious payloads while hiding attacker traces. The framework demonstrates high persistence, stealth, and a well-designed upgrade system. It targets various critical infrastructure across different countries, including school websites, public transit systems, and prison visitor systems. The malware uses a three-layer URL polling mechanism for resilience and encrypts its components for protection. While highly effective in evading detection, it has vulnerabilities in its DGA implementation and C2 panel management that could potentially be exploited to disrupt the network.

External References

https://blog.xlab.qianxin.com/uncovering_darkcracks_payload_delivery_framework_cn
https://otx.alienvault.com/pulse/66d81d8c594eec466f956cd3
Tags
wordpress
quasarrat
2024-09-04
darkcracks
malware framework
infrastructure compromise
glpi

Date

  • Created: Sept. 4, 2024, 8:42 a.m.
  • Published: Sept. 4, 2024, 8:42 a.m.
  • Modified: Sept. 4, 2024, 9:17 a.m.

Indicators

  • 73cb265deb1bfe6e9240ffa26166367443d679f20ba26239fef734c0903ebed7
  • 6bdcd10a2434861f81f6dc75bd2b40f3aa847adb4b358ab6855d1c760a3090a1
  • 433b437746ec027c8215d1364fa491712a8452d5a1ccb0659368ad67a175e471
  • 2d8c7fee42d3db4a8e55fbff65351e1bb8addba8fcbd0f85ee1ca5033d0df342
  • 1f2fe0de4af45f9a63c6ac2e5e2a1290fa3d759ebbf9a340fe2c6c6d483eed27
  • 1cc6b3099fafce40611d84dff6c465bd03024db5cf8271ff25bd2b9151c53e49
  • 64.227.0.146
  • 216.238.103.62
  • 204.199.192.44
  • 187.190.1.137
  • 158.177.2.191
  • 148.102.51.6
  • 45.169.87.67
  • 216.74.123.97
  • 213.139.233.163
  • 179.191.68.85
  • https://www.miracles.com.hk/wp-content/plugins/foxiplugin/detail.php
  • https://www.auntyaliceschool.site/wp-admin/maint/wk8dnj2k
  • https://www.auntyaliceschool.site/wp-admin/maint/se3hf6jwc
  • https://www.auntyaliceschool.site/wp-admin/maint/
  • http://64.227.0.146/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php
  • http://45.169.87.67/vendor/sabre/event/lib/Promise/wk8dnj2k
  • http://45.169.87.67/vendor/sabre/event/lib/Promise/se3hf6jwc
  • http://45.169.87.67/vendor/sabre/event/lib/Promise/
  • http://216.238.103.62:8013/vendor/guzzlehttp/guzzle/src/Exception/DNSException.php
  • http://204.199.192.44/vendor/paragonie/sodium_compat/src/Core32/Poly25519.php
  • http://187.190.1.137/vendor/guzzlehttp/guzzle/src/Exception/detail.php
  • http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl
  • http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd
  • http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/mY5bJK7e
  • http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v
  • http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/
  • http://158.177.2.191/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php
  • http://148.102.51.6/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php
  • ytc7ygoagjl.com
  • uvdfugoagjl.com
  • uvd7ygoagjl.com
  • stdfugoagjl.com
  • std7ygoagjl.com
  • qvd7ygoagjl.com
  • mvdfugoagjl.com
  • soussanart.com
  • mvd7ygoagjl.com
  • ktdfugoagjl.com
  • ktd7ygoagjl.com
  • ktc7ygoagjl.com
  • ivdfugoagjl.com
  • gtdfugoagjl.com
  • ivd7ygoagjl.com
  • gtd7ygoagjl.com
  • gtc7ygoagjl.com
  • evdfugoagjl.com
  • evd7ygoagjl.com
  • avd7ygoagjl.com
  • avdfugoagjl.com
Download all indicators here!

Attack Patterns

  • DarkCracks
  • QuasarRAT

Additional Informations

  • Transportation
  • Education
  • Government