Dharma ransomware coming in new way taking on the appearance as an ESET Antivirus Remover Installer, to trap the clients and to shroud its malicious activities.
Dharma ransomware was first found in 2016, and it uses the AES-256 encryption, the ransomware fundamentally targets storage devices.
Latest edition of Dharma ransomware distributed by spam emails, which asks the clients to tap on the links in the emails. If the client taps on the link, it popup the prompts for a password which provided in the Email.
When the client inputs their password, a self-extracting downloaded file which archive named Defender[.]exe, which thus drops taskhost[.]exe which is the malicious file, additionally the old version of the renamed ESET AV Remover Defender_nt32_enu[.]exe.
Figure 1. Dharma ransomware infection chain
Figure 2. Spam mail for Dharma ransomware
Figure 3. Running the self-extracting archive (Defender.exe)
As per TrendMicro examination, taskhost[.]exe is the record associated with the Dharma ransomware. “The ransomware utilizes this old ESET AV Remover installer, which seems unmodified dependent on initial scanning, to divert attention as it encrypts files on the victim’s device.”
Figure 4. Software installation distracts from the ransomware’s activities
Figure 5. Software installation runs on a different instance than malware
It begin it’s encryption procedure in the background once the ESET AV Remover installation starts. It uses ESET GUI onscreen to distract the client, and it forms the encryption in the backend.
The AV Remover is a working tool that experiences the natural installation routine if it is executed. Nonetheless, the ransomware will in any case encrypt documents regardless of whether the installation isn’t begun. The malware keeps running on a different installtion in comparison to the software installation, so their behavior isn’t connected.
The tool is genuine software bundled with the malware, so client interaction is important to completely install it. The ransomware will run even if the tool installation isn’t activated, and the tool can be installed regardless of whether the ransomware does not run. The installation procedure appears to be included just to fool clients into thinking no malicious movement is going on.
Figure 6. The ESET installer file also has a valid digital signature, so this also helps it stay under the radar.
Dharma Ransomware about to encrypt the Following file extension.
.PNG .PSD .PSP .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV .DWG .DXF.GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX .INI .PRF .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJR.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG, .BZ2, .1CD”
Cybercriminals have a past filled with mishandling authentic tools, and this ongoing Dharma strategy of using an installer as a diversion or screen of authenticity is basically another technique they are experimenting with. This new form is intended to trap clients and permit the ransomware to stealthily work in the background. As malware creators keep on receiving layered avoidance strategies and malicious techniques, clients likewise need to embrace more grounded and more brilliant security solutions to protect their assets.
Instructions to shield against ransomware
There has been a developing awareness about ransomware just as improved solutions for associations and clients, which adds to ransomware’s proceeding with decrease. In any case, as demonstrated by the new examples of Dharma, numerous malicious on-screen characters are as yet trying to update old threats and uses new techniques. Ransomware remains an expensive and versatile threat; prior this month a ransomware family was spotted focusing on vulnerable Samba servers. This particular ransomware first emerged as a threat targeting victim’s network-attached storage device before it evolved to target other devices.
Clients and associations ought to get ready for Dharma and comparative dangers by embracing great cybersecurity cleanliness. Some prescribed procedures to pursue include:
- Secure email gateways to ruin dangers by means of spam and avoid opening suspicious emails.
- Regularly back up files.
- Keep frameworks and applications updated, or use virtual fixing for heritage or unpatchable frameworks and software.
- Enforce the principle of least privilege: Secure system administrations tools that attackers could abuse; implement network segmentation and data categorization to minimize further exposure of mission-critical and sensitive data; and disable third-party or outdated components that could be used as entry points.
- Implement defense in depth: Additional layers of security like application control and behavior monitoring helps thwart unwanted modifications to the system or execution of anomalous files.
- Encourage a culture of security in the work environment.
Indicators of Compromise
File name | SHA256 | Detection |
Defender.exe | a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4 | Ransom.Win32.DHARMA.THDAAAI |
Taskhost.exe1 | 703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe | Ransom.Win32.DHARMA.THDAAAI |
Defender_nt32_enu.exe1 | 0d7e4d980ae644438ee17c1ea61ac076983ec3efb3cc9d3b588d2d92e52d7c83 | Normal ESET AV remover |
Packager.dll | 083b92a07beebbd9c7d089648b1949f78929410464578a36713033bbd3a8ecea | Normal |
Panmap.dll | 9ada26a385e8b10f76b7c4f05d591b282bd42e7f429c7bbe7ef0bb0d6499d729 | Normal |
Sspisrv.dll | f195983cdf8256f1d1425cc7683f9bf5c624928339ddb4e3da96fdae2657813d | Normal |
Sstpsvc.dll | 39d3254383e3f49fd3e2dff8212f4b5744d8d5e0a6bb320516c5ee525ad211eb | Normal |