Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims. A new Dharma ransomware strain is using ESET AV Remover installations as a “smoke screen” technique designed to distract victims while their files are encrypted in the background as detailed by Trend Micro.
The ransomware is pushed by the attackers on their targets’ computers using a spam campaign which delivers email attachments containing a Dharma dropper binary packed as a password-protected self-extracting archive named Defender.exe and hosted on the hacked server of link[.]fivetier[.]com.

Dharma infection chain
The password for the malicious attachment is listed in the spam email, a technique designed to incentives curios victims to open the archive and inadvertently launch the Dharma-infected executable on their system.
Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims

Spam email disributing Dharma
The full contents of such a spam email are listed below:
Your Windows is temporarily at risk !
Our system has detected several unusual data from your Pc.
It's corrupted by the DISPLAY SYSTEM 37.2%.
All of your information is at risk , this can damage the system files, data,
applications, or even cause data leaks etc.
Please update and verify your antivirus down below :
Password: www.microsoft.com
Download
Once Defender.exe is executed, it will drop on the system an old ESET AV Remover installer named Defender_nt32_enu.exe, and a taskhost.exe Dharma binary added to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ which gets launched and starts encrypting the victim’s hard drives.
Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims

The self-extracting archive and the extraction process
The ESET AV Remover installer will automatically be launched after the self-extracting archive is executed, attracting the victim’s attention while the Dharma ransomware encrypts the contents of the hard drive in the background.

ESET AV Remover installation screen – Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims
Tests conducted show that this ransomware campaign is installing a Dharma variant that appends the ETH extension to encrypted file names.

Dharma-encrypted files – Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims
It also uses the [email protected] email address as a way to contact the ransomware developer.

Dharma ransom note – Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims
As Trend Micro says in their analysis of this new Dharma behavior, “the ransomware will still encrypt files even if the installation is not started. The malware runs on a different instance than the software installation, so their behavior is not related.”
Additionally, “The ransomware will run even if the tool installation is not triggered, and the tool can be installed even if the ransomware does not run. The installation process seems included just to trick users into thinking no malicious activity is going on.”
Given that the ESET AV Remover is legitimate software signed with a valid ESET digital signature on June 22, 2017, by bundling it together with their malware the attackers are trying to pull a “magic trick” designed to divert the victims focus, keeping them busy and their attention directed at something else while Dharma quickly renders the data on their hard drives unusable.
Following the report sent by Trend Micro before their analysis was published, ESET issued the following statement:
The article describes the well-known practice for malware to be bundled with legitimate application(s). In the specific case Trend Micro is documenting, an official and unmodified ESET AV Remover was used. However, any other application could be used this way. The main reason is to distract the user, this application is used as a decoy application. ESET threat detection engineers have seen several cases of ransomware packed in self-extract package together with some clean files or hack/keygen/crack recently. So this is nothing new.
In the specific case described by Trend Micro, the ransomware is executed right after our remover application, but the remover has a dialogue and waits for user interaction, so there is no chance to remove any AV solution before the ransomware is fully executed.
Trend Micro provides a list of indicators of compromise (IOCs) that can be used to detect and block attacks using this Dharma ransomware strain at the end of their report.
Related Videos:
Related Posts:
IBM: Cybercriminals are moving on from ransomware to cryptojacking(Opens in a new browser tab)
It’s Almost Impossible to Tell if Your iPhone Has Been Hacked(Opens in a new browser tab)
RobbinHood ransomware takes down Baltimore City government networks(Opens in a new browser tab)
Ransomware attack forces Baltimore government to go manual(Opens in a new browser tab)
The Ultimate Guide to Online Privacy – Critical Info for 2019(Opens in a new browser tab)
Google brings one-click install for Android Studio on Chrome OS(Opens in a new browser tab)
Jokeroo Ransomware as a Service Pulls an Exit Scam(Opens in a new browser tab)
$25 Raspberry Pi add-on gets you started with edge computing AI(Opens in a new browser tab)
Freedom Mobile hit by data breach,15,000 customers affected(Opens in a new browser tab)
How to make Windows 10 look and feel like Windows 7(Opens in a new browser tab)
Why JavaScript developers are choosing TypeScript(Opens in a new browser tab)