A malware framework named DarkCracks has been identified by cybersecurity experts from QiAnXin. This newly discovered threat takes advantage of weaknesses in GLPI, an IT asset management system, and WordPress websites. DarkCracks has raised alarm due to its ability to remain hidden and undetected by most antivirus programs, posing a risk to users and businesses relying on these platforms.

DarkCracks operates as a highly advanced malware framework, designed to exploit vulnerable systems over a prolonged period. Instead of merely infecting devices, it uses them as Launchers to deploy additional malicious components. Attackers gain entry by targeting compromised public websites, such as school networks or transportation systems, turning them into platforms to spread malware to other unsuspecting users.

Once attackers infiltrate a server, they initiate a multi-phase attack by uploading files that execute further malicious tasks. These components are responsible for gathering sensitive data, maintaining long-term access, and keeping control over the infected systems under the radar of most cybersecurity defences. The malware is designed for long-term exploitation, adapting to changes and remaining operational even when parts of it are detected and removed by security measures.

What makes DarkCracks particularly dangerous is its ability to evade detection for extended periods. Some of its elements have managed to stay hidden for over a year, avoiding detection by even the most sophisticated cybersecurity tools. Despite QiAnXin’s analysis, some core elements, including the Launcher, remain unidentified, making it extremely challenging for IT teams to fully neutralise the threat.

Adding to the complexity, DarkCracks employs a backup system that uses a three-layer URL verification technique. This ensures the malware can continue operating even if its primary servers are taken down, providing resilience and making it harder for cybersecurity teams to disrupt its activities.

Possible Phishing Attacks on Korean Users

In a unique finding, researchers uncovered a file titled “Kim Young-mi’s Resume” in Korean, suggesting that the attackers may be using spear-phishing techniques to target users in Korea. This file, discovered on one of the compromised servers, indicates that attackers could be tailoring their phishing efforts to specific regions, a method that could increase their chances of success in gaining unauthorised access.

The DarkCracks campaign came to light in June 2024 when an unusual amount of network traffic was observed from an IP linked to a compromised GLPI server. The investigation revealed that cybercriminals had already uploaded malicious files onto compromised servers, using techniques like encryption and obfuscation to mask their activities.

How to Defend Against DarkCracks

To protect against this emerging threat, cybersecurity experts are urging organisations, particularly those using GLPI or WordPress, to take immediate precautions. Key recommendations include regularly updating all software and systems to ensure that known vulnerabilities are patched. This can help prevent the malware from exploiting security holes.

In addition, IT teams are advised to monitor network traffic for unusual activity, including unexpected connections to external servers. Frequent security audits can also help identify unauthorised file uploads or suspicious activities within the system. Advanced detection tools capable of recognizing the layered obfuscation techniques used by DarkCracks are also essential in preventing and identifying these stealthy attacks.

By implementing these defensive strategies, businesses can reduce their risk of falling victim to the DarkCracks malware and protect their systems from long-term exploitation.