Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 17, 2023Severity High Analysis Summary Chaos is a customizable ransomware builder that emerged on June 9 2021 (in underground forums) by falsely marketing itself as the .NET […]March 17, 2023Severity High Analysis Summary CVE-2023-26361 CVSS:4.9 Adobe ColdFusion could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially […]March 17, 2023Severity Medium Analysis Summary Ursnif banking trojan also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 17, 2023Severity High Analysis Summary Chaos is a customizable ransomware builder that emerged on June 9 2021 (in underground forums) by falsely marketing itself as the .NET […]March 17, 2023Severity High Analysis Summary CVE-2023-26361 CVSS:4.9 Adobe ColdFusion could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially […]March 17, 2023Severity Medium Analysis Summary Ursnif banking trojan also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Turla LightNeuron Backdoor Targeting Microsoft Exchange Mail Servers Using Steganography
May 9, 2019Rewterz Threat Alert – New ELECTRICFISH Tool by HIDDEN COBRA
May 10, 2019
Severity
Medium
Analysis Summary
New Dharma ransomware strain uses the ESET AV Remover installations to distract victims while encrypting their files in the background. The attack initiates with a spam campaign delivering email attachments containing a Dharma dropper binary packed as a password-protected self-extracting archive named Defender.exe which is hosted on the hacked server of link[.]fivetier[.]com.
The spam email contains the password for the malicious attachment, luring victims to open the archive and launch the Dharma executable on their system. Below is a preview of the email.
Once Defender.exe is executed, it drops an old ESET AV Remover installer named Defender_nt32_enu.exe on the system, and a taskhost.exe Dharma binary added to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ which gets launched and starts encrypting the victim’s hard drives. The ransomware appends the ETH extension to encrypted file names. Researchers found that the ransomware will still encrypt files even if the installation is not started, hence the two processes are unrelated. Following ransom note is found on victim machine after encryption of files, containing an email address to be contacted for a ransom payment and decryption of files.
Impact
Files Encryption
Indicators of Compromise
IP(s) / Hostname(s)
167[.]89[.]109[.]48
URLs
link[.]fivetier[.]com
Filename
- Defender.exe
- taskhost.exe1
Malware Hash (MD5/SHA1/SH256)
- a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4
- 703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe
Remediation
- Block the threat indicators at their respective controls.
- Avoid opening suspicious emails and do not download files attached in emails coming from untrusted sources.
- Regularly back up files.
- Keep systems and applications updated against vulnerabilities, or use virtual patching for legacy or unpatchable systems and software.
- Restrict user privileges to minimum.
- Implement network segmentation and data categorization to minimize further exposure of sensitive data.