DarkCracks: A New Stealthy Malware Framework Exploiting GLPI and WordPress
Cybersecurity researchers from QiAnXin have uncovered an advanced malware campaign named DarkCracks, which exploits vulnerabilities in compromised GLPI and WordPress websites to distribute malicious loaders and maintain control over infected systems. The discovery came after an in-depth analysis of suspicious files uploaded to VirusTotal, with alarming findings: the malware had evaded detection by nearly all antivirus software, making it a significant stealth threat.
A Sophisticated Delivery System
DarkCracks isn’t just a typical malware campaign—it’s a Launcher designed for long-term exploitation. The framework leverages public websites, including school portals, urban transport networks, and booking systems, to distribute malicious payloads to unsuspecting users. Compromised devices are then co-opted into functioning as Launcher and as tools for covert control over other compromised systems.
What makes DarkCracks particularly concerning is its complex operational structure. Once the attackers gain access to a server—often through weak points in GLPI (an open-source IT asset management system) or WordPress sites—they upload Launcher that initiate a multi-stage attack. These files download additional components that collect data, establish long-term access, and maintain a covert foothold on the network.
DarkCracks primarily targets Launcher, allowing attackers to maintain access and update their malware over time. This adaptability ensures that the campaign can continue even if certain components are discovered and neutralized by security teams.
Long-Term Stealth Capabilities
One of the most striking aspects of DarkCracks is its ability to evade detection for extended periods. Many of the malware’s components went unnoticed for over a year, evading even sophisticated detection mechanisms. Despite QiAnXin’s thorough investigation, some parts of the malware system—most notably the Launcher, the main component responsible for initiating attacks—remain unidentified. This elusive nature makes DarkCracks a formidable threat to organizations worldwide.
The DarkCracks campaign also uses an intricate three-tier URL verification system that allows it to locate backup servers if the primary ones are taken down, further ensuring the continuity of its operations. This redundancy and obfuscation add layers of difficulty for cybersecurity teams attempting to dismantle the system.
Targeted Phishing and Global Reach
In an unusual twist, researchers discovered a decoy file titled “김영미 이력서” (translated as “Kim Young-mi’s resume” in Korean), indicating that the campaign may be targeting Korean users through spear-phishing attempts. The file, a password-protected document uploaded to one of the servers involved in the campaign, suggests that attackers may be using personalized or regionalized phishing strategies to gain access to vulnerable systems.
The DarkCracks operation first came to QiAnXin’s attention in June 2024, when unusual traffic patterns were detected from an IP address linked to a compromised GLPI system. Upon further investigation, it was revealed that attackers had been using compromised servers to upload malicious files, masking their activities through layered obfuscation and encryption techniques. This discovery underscores how deeply entrenched these attackers were, often bypassing standard security measures.
Protecting Against DarkCracks
Researchers at QiAnXin are urging IT administrators and security professionals to be on high alert for any unusual activity, especially if their infrastructure relies on GLPI or WordPress systems. Given the stealthy and persistent nature of DarkCracks, the following steps are recommended to mitigate the threat:
- Regularly update software and apply patches to address known vulnerabilities in GLPI, WordPress, and other web-based platforms.
- Monitor network logs for abnormal traffic patterns or unexplained connections to external servers.
- Conduct frequent security audits on web servers to detect any unauthorized file uploads or suspicious processes.
- Strengthen defenses with advanced detection tools that can identify the layered obfuscation methods used by DarkCracks and similar malware.