Isn’t Linux/Chapro.A only Darkleech Apache Module ?
ESET anti-virus editor has post a blog post the 18th December regarding a “new” malicious Apache module how inject malicious content into web pages served up by compromised servers. The malware, named Linux/Chapro.A by ESET, is using a XOR loop obfuscation and other techniques in order to evade detection by system administrators. ESET also reported that the malware was actively used by Exploit Kits, and precisely by Sweet Orange. Some screenshots were provided by ESET, but no samples.
I was interested by this new malware, cause few weeks ago another malicious Web server module was found, but this time targeting nginx in proxy mode, but with the same purposes.
Based on the few information’s provided by ESET I began my investigation in order to find samples and have more details on the malware.
My first track was the “C_ARRAY_BAN_USERAGENT” string present in the ESET screenshots. By a simple search on Google I found a presentation made by russian security researchers, in October 2012, and describing the usage of malicious Apache modules by Exploit Kits (Page 19 of the presentation). String ”C_ARRAY_BAN_USERAGENT” was present in this presentation. The original discovery is attributed to Unmask Parasites in September 2012.
If you take a look at page 23 of the presentation and to the screenshot made by ESET. Do you not see any similarities ?
I saw here too much similarities between the malicious Apache module discovered by Unmask Parasites and ESET Linux/Chapro.A.
Hopefully Unmask Parasites has provide more details (some strings) of the malicious Apache module in his blog post, in order to continue my investigations. The malicious Apache module was linked to Darkleech module by the author of this module on Russian underground forums.
Also hopefully, malware.lu had one sample of Linux/Chapro.A (e022de72cce8129bd5ac8a0675996318) and I had the possibility to compare ESET sample and strings provided by Unmask Parasites in his blog post. If you take a look at my strings comparison results between the two samples (Unmask Parasites strings – Linux/Chapro.A strings), also if you compare the capabilities and behaviors between the two samples, they’re is no doubt Linux/Chapro.A is not new but he is only Darkleech.
Another interesting point is that Darkleech has a new version since mid-November.
Translation is “After a pause, resumed sales! Please knock old customers for updates, current version 2012.11.16!“.
I recommend you to read these related posts
- CVE-2011-3192 : Apache HTTPD Killer Remote Denial of Service
- Funny and Efficient Anti-Virus Bypass Packed Java Applets Exploits CVE-2012-4681 in the Wild
- Oracle Java 0day and the Myth of a Targeted Attack
- Gong Da / Gondad Exploit Pack Add Java CVE-2012-5076 support
- Gong Da / Gondad Exploit Pack Add Java CVE-2013-0422 support
- Gong Da / Gondad Exploit Pack Add Flash CVE-2013-0634 Support
- Gong Da / Gondad Exploit Pack Add Adobe Flash CVE-2012-1535 Support
- JBoss Worm Analysis in Details
- Dark South Korea and Discovered PuTTY Tools Behaviours
- Cool Exploit Kit Remove Support of Java CVE-2012-1723