WordPress Malware: Darkleech

This leech has to be burned, and FAST!!

The Darkleech malware is a type of malware which hunts for vulnerable webservers which run WordPress environments, once found, it will try to infect the environment with malicious code. The Darkleech malware then waits for a specific moment to operate. The Darkleech malware starts operating when the webserver administrator and site administrator are not logged in at the environment which has been targeted.

The team from securi.net have published a very detailed report which provides insight on how the Darkleech malware on WordPress works.

They have also included a couple of domains which are used by the Darkleech malware, we have decided to go a step further, and we have provided you the full list of domains which have been used by the Darkleech malware:

  1. hxxp://hgowunwm.myftp.biz/
  2. hxxp://aagxohoo.servepics.com/wordpress/?bf7N&utm_source=le
  3. hxxp://rpghzk.myftp.biz/
  4. hxxp://xgrvgbj.myftp.biz/
  5. hxxp://oqqgheng.myftp.biz/
  6. hxxp://5.101.118.149/
  7. hxxp://tccike.servepics.com/
  8. hxxp://cuicbuvxcw.myftp.biz/
  9. hxxp://uhlhwb.myftp.biz/
  10. hxxp://cpkdqgqrnv.myftp.biz/
  11. hxxp://ouvscelh.servepics.com/
  12. hxxp://xaruwqyw.myftp.biz/
  13. hxxp://objfpajh.hopto.org/
  14. hxxp://bixovoccfx.myftp.org/
  15. hxxp://jjftbdcep.myftp.biz/
  16. hxxp://fymevamnrv.myftp.org/
  17. hxxp://ugriyl.myftp.biz/
  18. hxxp://rerchgo.myftp.biz/
  19. hxxp://vbofzd.myftp.org/
  20. hxxp://cgzuummsrp.myftp.biz/
  21. hxxp://mvtjocixpc.myftp.biz/
  22. hxxp://lgwlcpvaf.myftp.biz/
  23. hxxp://lycloxhk.myftp.biz/
  24. hxxp://kmiuknwjl.myftp.org/
  25. hxxp://xdiiqjq.myftp.org/
  26. hxxp://nyyevr.hopto.org/wordpress/?bf7N&utm_source=le
  27. hxxp://iteroz.hopto.org/
  28. hxxp://itthqytxzi.hopto.org/
  29. hxxp://wqcyfym.serveftp.com/
  30. hxxp://udyxkpe.servepics.com/
  31. hxxp://nxqfllovxu.myftp.org/
  32. hxxp://gxjoztaf.myftp.org/
  33. hxxp://ygaguxwkpk.hopto.org/
  34. hxxp://iqgaalnfiy.myftp.org/
  35. hxxp://ylmzjbggmy.myftp.biz/
  36. hxxp://fnrbjvybv.myftp.org/
  37. hxxp://yhhrjrxd.servepics.com/
  38. hxxp://xlhykzqal.hopto.org/
  39. hxxp://egbpjk.hopto.org/
  40. hxxp://aofcpxjs.hopto.org/
  41. hxxp://heaypggml.myftp.org/
  42. hxxp://ifixsqzzm.servepics.com/
  43. hxxp://epnjaohnz.myftp.org/
  44. hxxp://xnywkuehaj.servepics.com/

As you can see in the list above, the Darkleech malware is using the NO-IP service to craft dynamic domains which will be used by the Darkleech WordPress malware. The domains have been collected via the VirusTotal.com website.