Genuine Anti-virus Tool Abused by Dharma Ransomware to Decept Victims And Flaw Their Computers.

Jun 04, 2019
Posted by
Cyber Security

Dharma ransomware coming in new way taking on the appearance as an ESET Antivirus Remover Installer, to trap the clients and to shroud its malicious activities.

Dharma ransomware was first found in 2016, and it uses the AES-256 encryption, the ransomware fundamentally targets storage devices.

Latest edition of Dharma ransomware distributed by spam emails, which asks the clients to tap on the links in the emails. If the client taps on the link, it popup the prompts for a password which provided in the Email.

When the client inputs their password, a self-extracting downloaded file which archive named Defender[.]exe, which thus drops taskhost[.]exe which is the malicious file, additionally the old version of the renamed ESET AV Remover Defender_nt32_enu[.]exe.

Figure 1. Dharma ransomware infection chain

Figure 2. Spam mail for Dharma ransomware

Figure 3. Running the self-extracting archive (Defender.exe)

As per TrendMicro examination, taskhost[.]exe is the record associated with the Dharma ransomware. “The ransomware utilizes this old ESET AV Remover installer, which seems unmodified dependent on initial scanning, to divert attention as it encrypts files on the victim’s device.”

Figure 4. Software installation distracts from the ransomware’s activities

Figure 5. Software installation runs on a different instance than malware

It begin it’s encryption procedure in the background once the ESET AV Remover installation starts. It uses ESET GUI onscreen to distract the client, and it forms the encryption in the backend.

The AV Remover is a working tool that experiences the natural installation routine if it is executed. Nonetheless, the ransomware will in any case encrypt documents regardless of whether the installation isn’t begun. The malware keeps running on a different installtion in comparison to the software installation, so their behavior isn’t connected.

The tool is genuine software bundled with the malware, so client interaction is important to completely install it. The ransomware will run even if the tool installation isn’t activated, and the tool can be installed regardless of whether the ransomware does not run. The installation procedure appears to be included just to fool clients into thinking no malicious movement is going on.

Figure 6. The ESET installer file also has a valid digital signature, so this also helps it stay under the radar.

Dharma Ransomware about to encrypt the Following file extension.


Cybercriminals have a past filled with mishandling authentic tools, and this ongoing Dharma strategy of using an installer as a diversion or screen of authenticity is basically another technique they are experimenting with. This new form is intended to trap clients and permit the ransomware to stealthily work in the background. As malware creators keep on receiving layered avoidance strategies and malicious techniques, clients likewise need to embrace more grounded and more brilliant security solutions to protect their assets.

Instructions to shield against ransomware

There has been a developing awareness about ransomware just as improved solutions for associations and clients, which adds to ransomware’s proceeding with decrease. In any case, as demonstrated by the new examples of Dharma, numerous malicious on-screen characters are as yet trying to update old threats and uses new techniques. Ransomware remains an expensive and versatile threat; prior this month a ransomware family was spotted focusing on vulnerable Samba servers. This particular ransomware first emerged as a threat targeting victim’s network-attached storage device before it evolved to target other devices.

Clients and associations ought to get ready for Dharma and comparative dangers by embracing great cybersecurity cleanliness. Some prescribed procedures to pursue include:

  • Secure email gateways to ruin dangers by means of spam and avoid opening suspicious emails.
  • Regularly back up files.
  • Keep frameworks and applications updated, or use virtual fixing for heritage or unpatchable frameworks and software.
  • Enforce the principle of least privilege: Secure system administrations tools that attackers could abuse; implement network segmentation and data categorization to minimize further exposure of mission-critical and sensitive data; and disable third-party or outdated components that could be used as entry points.
  • Implement defense in depth: Additional layers of security like application control and behavior monitoring helps thwart unwanted modifications to the system or execution of anomalous files.
  • Encourage a culture of security in the work environment.

Indicators of Compromise

File name SHA256 Detection
Defender.exe a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4 Ransom.Win32.DHARMA.THDAAAI
Taskhost.exe1 703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe Ransom.Win32.DHARMA.THDAAAI
Defender_nt32_enu.exe1 0d7e4d980ae644438ee17c1ea61ac076983ec3efb3cc9d3b588d2d92e52d7c83 Normal ESET AV remover  
Packager.dll 083b92a07beebbd9c7d089648b1949f78929410464578a36713033bbd3a8ecea Normal    
Panmap.dll 9ada26a385e8b10f76b7c4f05d591b282bd42e7f429c7bbe7ef0bb0d6499d729 Normal    
Sspisrv.dll f195983cdf8256f1d1425cc7683f9bf5c624928339ddb4e3da96fdae2657813d Normal    
Sstpsvc.dll 39d3254383e3f49fd3e2dff8212f4b5744d8d5e0a6bb320516c5ee525ad211eb Normal