Cybercriminals release stealthy DIY mass iFrame injecting Apache 2 modules

by

Share this news now.

What would an attacker do if they were attempting to inject malicious iFrames on as many Web sites as possible? Would they rely on search engines’ reconnaissance as a foundation fo their efficient exploitation process, data mine a botnet’s infected population for accounting data related to CPanel, FTP and SSH accounts, purchase access to botnet logs, unethically pen-test a Web property’s infrastructure, or hit the jackpot with an ingenious idea that’s been trending as of recently within the cybercrime ecosystem? No, they wouldn’t rely on any of these. They would just seek access to servers hosting as many domains as possible and efficiently embed malicious iFrames on each and every .php/.html/.js found within these domains. At least that’s what the cybercriminal operations that I’ll elaborate on in this post are all about. Let’s take a peek at a recently advertised DIY mass iFrame injecting Apache 2.x module that appears to have already been responsible for a variety of security incidents across the globe.

This module makes it virtually impossible for a webmaster to remove the infection from their Web site, affects millions of users in the process, and earns thousands of dollars for the cybercriminals operating it. More details: The Apache 2.x based stealth module is capable of inserting and rotating iFrames on all pages at a particular website hosted on the compromised server. The process will only work with a cookie+unique IP in an attempt by the cybercriminal behind the kit to make the process of analyzing the module harder to perform. The module would also not reveal the iFrame URL to search engines, Google Chrome and Linux users, as well as local IP. For the time being its price is $1,000. Sample screenshot of the underground market advertisement of the malicious Apache 2 module:

What’s worth emphasizing about this particular cybercrime ecosystem ad is the fact that the author of the Apache 2 module is OPSEC-unaware (Operational Security). What he did is to basically mention research articles profiling the activities of his cybercrime-friendly release, referring to it as – Feedback from “customers” :)  -

A logical question emerges – what’s the ROI (Return on Investment) from this practice? Pretty decent according to statistics released by the author in an attempt to demonstrate just how much money selling scareware (fake security software) can be made using his malicious module. Sample statistics released by the author of the malicious module:

As you can see in the attached screenshot, thousands of users continue installing and purchasing fake antivirus software products, driving a steady flow of income to the accounts of the cybercriminal(s) operating these campaigns. Moreover, the statistics also indicate that thousands of users, visiting their favorite and trusted websites, are getting exploited through client-side exploits like the ones served by the market leading Black Hole Exploit Kit, thanks to the malicious Apache 2 module. Is the development of such stealth modules a trend or a fad? Cybercriminals aren’t suffering from a shortage of legitimate traffic, at least for the time being. Geolocated underground Web traffic exchanges supply a constant stream of unique IPs to be converted to malware-infected hosts, through practices such as spam, black hat SEO (search engine optimization), malvertising, cybercrime-friendly search engines, and bogus multi-topic content farms spread across legitimate Web properties. Sample price list for iFrame driven geolocated traffic for a thousand unique visitors:

We’ll continue monitoring this emerging trend, and post updates as soon as new developments take place. You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.
Cybercriminals release stealthy DIY mass iFrame injecting Apache 2 modules by

Trackbacks

  1. [...] The Linux/Chapro.A attack has not been publicly documented in the past. Our telemetry systems did not report other installation of this malicious Apache module in the wild. While the intent of injecting iframes into served webpages is the same as the rootkit analyzed by Crowdstrike and Kaspersky, we confirm this is not the same malware family. On the other hand, this malware has many similarities to something discussed on Russian underground forums as exposed by Dancho Danchev. [...]

  2. [...] The Linux/Chapro.A conflict has not been publicly documented in a past. Our telemetry systems did not news other designation of this antagonistic Apache procedure in a wild. While a vigilant of injecting iframes into served webpages is a same as a rootkit analyzed by Crowdstrike and Kaspersky, we endorse this is not a same malware family. On a other hand, this malware has many similarities to something discussed on Russian subterraneous forums as unprotected by Dancho Danchev. [...]

  3. [...] will either directly embed malicious iFrames on as many legitimate Web sites as possible, target server farms and the thousands of customers that they offer services to, or generate and upload invisible [...]

  4. [...] will either directly embed malicious iFrames on as many legitimate Web sites as possible, target server farms and the thousands of customers that they offer services to, or generate and upload invisible [...]

  5. [...] Active exploitation of server farms – A cybercriminal’s mentality is fairly simple as it has to do with efficiency. The higher the page rank of the infected legitimate website, the better, as the campaign will attract a lot of traffic. However, the high page rank also increases the probability of a successful detection by the security community. What would a cybercriminal do in this case? They’ll take advantage of the ‘Long Tail‘ concept, infecting as many low profile websites as possible. This is theoretically capable of achieving the same traffic volumes as if they were to infect a high page rank-ed website. One of the most recent tactics we’ve seen has to do with the practice of infecting all the domains parked at a specific (compromised) server, through commercially available Apache backdoors. [...]

  6. [...] researchers is the exploiting of servers that host large number of domains, for example using commercially available Apache [...]

  7. […] many years now, cybercriminals have been efficiency abusing both legitimate compromised and automatically registered FTP accounts (using CAPTCHA outsourcing) in an attempt to […]

  8. […] active exploitation of server farms continues to take place - yet another factor that we believe is contributing to the overall demise of ‘brute-forcing your way in’ type of attack tactics, is the emergence of sophisticated platforms attempting to infect as many Web sites as possible, through a direct server farm compromise. […]