DarkCracks, an advanced malicious payload & upgrade framework utilizing hacked GLPI and WordPress sites as intermediaries

Sept. 4, 2024, 9:17 a.m.

Description

DarkCracks is a sophisticated malware framework that exploits compromised GLPI and WordPress sites as intermediaries for payload delivery and command and control. It collects sensitive information from infected devices, maintains long-term access, and uses them as nodes to control other devices or deliver malicious payloads while hiding attacker traces. The framework demonstrates high persistence, stealth, and a well-designed upgrade system. It targets various critical infrastructure across different countries, including school websites, public transit systems, and prison visitor systems. The malware uses a three-layer URL polling mechanism for resilience and encrypts its components for protection. While highly effective in evading detection, it has vulnerabilities in its DGA implementation and C2 panel management that could potentially be exploited to disrupt the network.

Date

Published: Sept. 4, 2024, 8:42 a.m.

Created: Sept. 4, 2024, 8:42 a.m.

Modified: Sept. 4, 2024, 9:17 a.m.

Indicators

73cb265deb1bfe6e9240ffa26166367443d679f20ba26239fef734c0903ebed7

6bdcd10a2434861f81f6dc75bd2b40f3aa847adb4b358ab6855d1c760a3090a1

433b437746ec027c8215d1364fa491712a8452d5a1ccb0659368ad67a175e471

2d8c7fee42d3db4a8e55fbff65351e1bb8addba8fcbd0f85ee1ca5033d0df342

1f2fe0de4af45f9a63c6ac2e5e2a1290fa3d759ebbf9a340fe2c6c6d483eed27

1cc6b3099fafce40611d84dff6c465bd03024db5cf8271ff25bd2b9151c53e49

64.227.0.146

216.238.103.62

204.199.192.44

187.190.1.137

158.177.2.191

148.102.51.6

45.169.87.67

216.74.123.97

213.139.233.163

179.191.68.85

https://www.miracles.com.hk/wp-content/plugins/foxiplugin/detail.php

https://www.auntyaliceschool.site/wp-admin/maint/wk8dnj2k

https://www.auntyaliceschool.site/wp-admin/maint/se3hf6jwc

https://www.auntyaliceschool.site/wp-admin/maint/

http://64.227.0.146/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php

http://45.169.87.67/vendor/sabre/event/lib/Promise/wk8dnj2k

http://45.169.87.67/vendor/sabre/event/lib/Promise/se3hf6jwc

http://45.169.87.67/vendor/sabre/event/lib/Promise/

http://216.238.103.62:8013/vendor/guzzlehttp/guzzle/src/Exception/DNSException.php

http://204.199.192.44/vendor/paragonie/sodium_compat/src/Core32/Poly25519.php

http://187.190.1.137/vendor/guzzlehttp/guzzle/src/Exception/detail.php

http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl

http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd

http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/mY5bJK7e

http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v

http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/

http://158.177.2.191/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php

http://148.102.51.6/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php

ytc7ygoagjl.com

uvdfugoagjl.com

uvd7ygoagjl.com

stdfugoagjl.com

std7ygoagjl.com

qvd7ygoagjl.com

mvdfugoagjl.com

soussanart.com

mvd7ygoagjl.com

ktdfugoagjl.com

ktd7ygoagjl.com

ktc7ygoagjl.com

ivdfugoagjl.com

gtdfugoagjl.com

ivd7ygoagjl.com

gtd7ygoagjl.com

gtc7ygoagjl.com

evdfugoagjl.com

evd7ygoagjl.com

avd7ygoagjl.com

avdfugoagjl.com

Attack Patterns

DarkCracks

QuasarRAT

T1571

T1574

T1559

T1547

T1082

T1105

T1083

T1071

T1102

T1055

T1140

T1027

T1553

T1078

T1059

Additional Informations

Transportation

Education

Government