Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims

You are here: Home » Blog » Tech News » Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims

Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims

Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims. A new Dharma ransomware strain is using ESET AV Remover installations as a “smoke screen” technique designed to distract victims while their files are encrypted in the background as detailed by Trend Micro.

The ransomware is pushed by the attackers on their targets’ computers using a spam campaign which delivers email attachments containing a Dharma dropper binary packed as a password-protected self-extracting archive named Defender.exe and hosted on the hacked server of link[.]fivetier[.]com.

Dharma infection chain

Dharma infection chain

The password for the malicious attachment is listed in the spam email, a technique designed to incentives curios victims to open the archive and inadvertently launch the Dharma-infected executable on their system.

Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims

Spam email disributing Dharma

Spam email disributing Dharma

The full contents of such a spam email are listed below:

Your Windows is temporarily at risk ! 
Our system has detected several unusual data from your Pc. 
It's corrupted by the DISPLAY SYSTEM 37.2%.
All of your information is at risk , this can damage the system files, data,
applications, or even cause data leaks etc.
Please update and verify your antivirus down below :
Password: www.microsoft.com
Download

Once Defender.exe is executed, it will drop on the system an old ESET AV Remover installer named Defender_nt32_enu.exe, and a taskhost.exe Dharma binary added to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ which gets launched and starts encrypting the victim’s hard drives.

Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims

The self-extracting archive and the extraction process

The self-extracting archive and the extraction process

The ESET AV Remover installer will automatically be launched after the self-extracting archive is executed, attracting the victim’s attention while the Dharma ransomware encrypts the contents of the hard drive in the background.

ESET AV Remover installation screen - Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims

ESET AV Remover installation screen – Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims

Tests conducted show that this ransomware campaign is installing a Dharma variant that appends the ETH extension to encrypted file names.

Dharma-encrypted files - Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims

Dharma-encrypted files – Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims

It also uses the [email protected] email address as a way to contact the ransomware developer.

Dharma ransom note - Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims

Dharma ransom note – Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims

As Trend Micro says in their analysis of this new Dharma behavior, “the ransomware will still encrypt files even if the installation is not started. The malware runs on a different instance than the software installation, so their behavior is not related.”

Additionally, “The ransomware will run even if the tool installation is not triggered, and the tool can be installed even if the ransomware does not run. The installation process seems included just to trick users into thinking no malicious activity is going on.”

Given that the ESET AV Remover is legitimate software signed with a valid ESET digital signature on June 22, 2017, by bundling it together with their malware the attackers are trying to pull a “magic trick” designed to divert the victims focus, keeping them busy and their attention directed at something else while Dharma quickly renders the data on their hard drives unusable.

Following the report sent by Trend Micro before their analysis was published, ESET issued the following statement:

The article describes the well-known practice for malware to be bundled with legitimate application(s). In the specific case Trend Micro is documenting, an official and unmodified ESET AV Remover was used. However, any other application could be used this way. The main reason is to distract the user, this application is used as a decoy application. ESET threat detection engineers have seen several cases of ransomware packed in self-extract package together with some clean files or hack/keygen/crack recently. So this is nothing new.
In the specific case described by Trend Micro, the ransomware is executed right after our remover application, but the remover has a dialogue and waits for user interaction, so there is no chance to remove any AV solution before the ransomware is fully executed.

Trend Micro provides a list of indicators of compromise (IOCs) that can be used to detect and block attacks using this Dharma ransomware strain at the end of their report.


Related Videos:

Related Posts:

IBM: Cybercriminals are moving on from ransomware to cryptojacking(Opens in a new browser tab)

It’s Almost Impossible to Tell if Your iPhone Has Been Hacked(Opens in a new browser tab)

RobbinHood ransomware takes down Baltimore City government networks(Opens in a new browser tab)

Ransomware attack forces Baltimore government to go manual(Opens in a new browser tab)

The Ultimate Guide to Online Privacy – Critical Info for 2019(Opens in a new browser tab)

Microsoft’s PowerToys make a return in Windows 10, but this time it’s open source(Opens in a new browser tab)

Google brings one-click install for Android Studio on Chrome OS(Opens in a new browser tab)

Jokeroo Ransomware as a Service Pulls an Exit Scam(Opens in a new browser tab)

Researchers demonstrate new ways to hack your stupidly complex smart home(Opens in a new browser tab)

$25 Raspberry Pi add-on gets you started with edge computing AI(Opens in a new browser tab)

Freedom Mobile hit by data breach,15,000 customers affected(Opens in a new browser tab)

‘Space Invaders’ The Board Game Celebrates 40 Years Of The Arcade Classic(Opens in a new browser tab)

How to open and use the Terminal app on a Mac computer, with a few basic commands(Opens in a new browser tab)

Tesla’s software lead is so big it should worry other automakers, AI expert says(Opens in a new browser tab)

How to make Windows 10 look and feel like Windows 7(Opens in a new browser tab)

Why JavaScript developers are choosing TypeScript(Opens in a new browser tab)

By |2019-09-08T14:11:13-04:00September 8th, 2019|Categories: Tech News|Tags: , , , , |

About the Author:

I am a loving father, & husband. I am a computer enthusiast. I have used and enjoyed computers since I was young and I enjoy teaching young minds how to code, because it teaches them how to think. Today with YouTube, and social media garbage our youth are losing the ability to think on their own and solve problems. I believe this is a serious epidemic as kids today dont understand that technology is a tool. This tool is being abused, and its underlying effects are taking its toll on kids behaviour, and learning.