DarkCracks, an advanced malicious payload & upgrade framework utilizing hacked GLPI and WordPress sites as intermediaries
Sept. 4, 2024, 9:17 a.m.
Tags
External References
Description
DarkCracks is a sophisticated malware framework that exploits compromised GLPI and WordPress sites as intermediaries for payload delivery and command and control. It collects sensitive information from infected devices, maintains long-term access, and uses them as nodes to control other devices or deliver malicious payloads while hiding attacker traces. The framework demonstrates high persistence, stealth, and a well-designed upgrade system. It targets various critical infrastructure across different countries, including school websites, public transit systems, and prison visitor systems. The malware uses a three-layer URL polling mechanism for resilience and encrypts its components for protection. While highly effective in evading detection, it has vulnerabilities in its DGA implementation and C2 panel management that could potentially be exploited to disrupt the network.
Date
Published: Sept. 4, 2024, 8:42 a.m.
Created: Sept. 4, 2024, 8:42 a.m.
Modified: Sept. 4, 2024, 9:17 a.m.
Indicators
73cb265deb1bfe6e9240ffa26166367443d679f20ba26239fef734c0903ebed7
6bdcd10a2434861f81f6dc75bd2b40f3aa847adb4b358ab6855d1c760a3090a1
433b437746ec027c8215d1364fa491712a8452d5a1ccb0659368ad67a175e471
2d8c7fee42d3db4a8e55fbff65351e1bb8addba8fcbd0f85ee1ca5033d0df342
1f2fe0de4af45f9a63c6ac2e5e2a1290fa3d759ebbf9a340fe2c6c6d483eed27
1cc6b3099fafce40611d84dff6c465bd03024db5cf8271ff25bd2b9151c53e49
64.227.0.146
216.238.103.62
204.199.192.44
187.190.1.137
158.177.2.191
148.102.51.6
45.169.87.67
216.74.123.97
213.139.233.163
179.191.68.85
https://www.miracles.com.hk/wp-content/plugins/foxiplugin/detail.php
https://www.auntyaliceschool.site/wp-admin/maint/wk8dnj2k
https://www.auntyaliceschool.site/wp-admin/maint/se3hf6jwc
https://www.auntyaliceschool.site/wp-admin/maint/
http://64.227.0.146/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php
http://45.169.87.67/vendor/sabre/event/lib/Promise/wk8dnj2k
http://45.169.87.67/vendor/sabre/event/lib/Promise/se3hf6jwc
http://45.169.87.67/vendor/sabre/event/lib/Promise/
http://216.238.103.62:8013/vendor/guzzlehttp/guzzle/src/Exception/DNSException.php
http://204.199.192.44/vendor/paragonie/sodium_compat/src/Core32/Poly25519.php
http://187.190.1.137/vendor/guzzlehttp/guzzle/src/Exception/detail.php
http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl
http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd
http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/mY5bJK7e
http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v
http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/
http://158.177.2.191/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php
http://148.102.51.6/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php
ytc7ygoagjl.com
uvdfugoagjl.com
uvd7ygoagjl.com
stdfugoagjl.com
std7ygoagjl.com
qvd7ygoagjl.com
mvdfugoagjl.com
soussanart.com
mvd7ygoagjl.com
ktdfugoagjl.com
ktd7ygoagjl.com
ktc7ygoagjl.com
ivdfugoagjl.com
gtdfugoagjl.com
ivd7ygoagjl.com
gtd7ygoagjl.com
gtc7ygoagjl.com
evdfugoagjl.com
evd7ygoagjl.com
avd7ygoagjl.com
avdfugoagjl.com
Attack Patterns
DarkCracks
QuasarRAT
T1571
T1574
T1559
T1547
T1082
T1105
T1083
T1071
T1102
T1055
T1140
T1027
T1553
T1078
T1059
Additional Informations
Transportation
Education
Government