The hackers-for-hire group DarkCrewFriends has resurfaced and is targeting content management systems to build a botnet. The botnet can be marshalled into service to carry out a variety of criminal activities, including distributed denial-of-service (DDoS) attacks, command execution, information exfiltration or sabotage of an infected system.
Researchers said they observed DarkCrewFriends exploiting an unrestricted file upload vulnerability to compromise PHP servers that run websites. After compromise, a malicious PHP web shell is installed as a backdoor, which in turn sets up a connection to a command-and-control (C2) server using an Internet Relay Chat (IRC) channel, according to Check Point researchers Liron Yosefian and Ori Hamama.
“Many applications allow users to upload certain files to their servers, such as images or documents,” explained the researchers on Thursday in a
blog post. “These files can put the system at risk if they are not properly handled. A remote attacker can send a specially crafted request to a vulnerable server and upload an unrestricted file while bypassing the server’s file extension check. This can eventually result in arbitrary code execution on the affected system.”
The exploit for the particular vulnerability being targeted is a zero-day that was created and published by DarkCrewFriends, according to Check Point. Threatpost has reached out for more information on the bug and other details of the campaign.
research.checkpoint.com
