Darkleech is an exploitation toolkit that could aid an unauthenticated, remote attacker to inject malicious software on a targeted system.
Darkleech targets end users by injecting crafted HTML iframes into the user's browser session in real time when an affected page is accessed. Darkleech can be elusive and difficult to detect because of a sophisticated array of conditional criteria the toolkit uses to determine when to inject malicious iframes to the user.
Successful installation of the Darkleech toolkit could allow the attacker to compromise the SSH binaries, allowing the attacker to implement backdoor access to the affected system. In addition, the attacker could access all SSH authentication credentials on the targeted system and use the stolen credentials to access and compromise additional systems.
The attacker may exploit multiple attack vectors to install Darkleech on a targeted system; however, reports have identified vulnerabilities in Parallels Plesk Panel or cPanel in which successful exploitation could allow an attacker to gain root
access to a targeted system and install the toolkit. One such vulnerability, CVE-2012-1557, is documented in Alert 25288
Reports indicate that Darkleech attacks have been ongoing since at least August 2012. Further research by Cisco Senior Security Researcher Mary Landesman and Security Engineer Gregg Conklin, available at the Cisco Security blog post Apache Darkleech Compromises
, indicates that the ongoing Darkleech attacks have successfully targeted an estimated 20,000 websites running the Apache web server in the past few weeks, including prominent websites such as the Los Angeles Times
in February and a blog for the hard drive manufacturer Seagate in March.
Administrators are advised to investigate websites that deliver iframes to the user that are not visible in the HTML source code. These iframes could be an indicator of compromise.