Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Severity
Medium
Analysis Summary
New Dharma ransomware strain uses the ESET AV Remover installations to distract victims while encrypting their files in the background. The attack initiates with a spam campaign delivering email attachments containing a Dharma dropper binary packed as a password-protected self-extracting archive named Defender.exe which is hosted on the hacked server of link[.]fivetier[.]com.
The spam email contains the password for the malicious attachment, luring victims to open the archive and launch the Dharma executable on their system. Below is a preview of the email.
Once Defender.exe is executed, it drops an old ESET AV Remover installer named Defender_nt32_enu.exe on the system, and a taskhost.exe Dharma binary added to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ which gets launched and starts encrypting the victim’s hard drives. The ransomware appends the ETH extension to encrypted file names. Researchers found that the ransomware will still encrypt files even if the installation is not started, hence the two processes are unrelated. Following ransom note is found on victim machine after encryption of files, containing an email address to be contacted for a ransom payment and decryption of files.
Impact
Files Encryption
Indicators of Compromise
IP(s) / Hostname(s)
167[.]89[.]109[.]48
URLs
link[.]fivetier[.]com
Filename
Malware Hash (MD5/SHA1/SH256)
Remediation