Check Point Researchers recently discovered an ongoing, evolving campaign from a known hackers’ group, “DarkCrewFriends.” This campaign targets PHP servers, focusing on creating a botnet infrastructure that can be leveraged for several purposes such as monetization and shutting down critical services.
DarkCrewFriends has been quite active over the last few years. The group offers a variety of services ranging from bots to traffic services for websites, and was mentioned as the party responsible for causing a data breach in an Italian news site. The attack chain of the current campaign includes exploiting an unrestricted file upload vulnerability, uploading a malicious PHP web shell, and communicating with a C&C server using an IRC channel. The attackers can leverage the malware’s capabilities for various scenarios, such as DDoS attack types and shell command execution.
In the presentation we will present our findings, from detailed entire attack chain walk through to sharing unique insights on the threat actors.