November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz Threat Alert – Turla LightNeuron Backdoor Targeting Microsoft Exchange Mail Servers Using Steganography
May 9, 2019Rewterz Threat Alert – New ELECTRICFISH Tool by HIDDEN COBRA
May 10, 2019Rewterz Threat Alert – Turla LightNeuron Backdoor Targeting Microsoft Exchange Mail Servers Using Steganography
May 9, 2019Rewterz Threat Alert – New ELECTRICFISH Tool by HIDDEN COBRA
May 10, 2019
Severity
Medium
Analysis Summary
New Dharma ransomware strain uses the ESET AV Remover installations to distract victims while encrypting their files in the background. The attack initiates with a spam campaign delivering email attachments containing a Dharma dropper binary packed as a password-protected self-extracting archive named Defender.exe which is hosted on the hacked server of link[.]fivetier[.]com.
The spam email contains the password for the malicious attachment, luring victims to open the archive and launch the Dharma executable on their system. Below is a preview of the email.
Once Defender.exe is executed, it drops an old ESET AV Remover installer named Defender_nt32_enu.exe on the system, and a taskhost.exe Dharma binary added to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ which gets launched and starts encrypting the victim’s hard drives. The ransomware appends the ETH extension to encrypted file names. Researchers found that the ransomware will still encrypt files even if the installation is not started, hence the two processes are unrelated. Following ransom note is found on victim machine after encryption of files, containing an email address to be contacted for a ransom payment and decryption of files.
Impact
Files Encryption
Indicators of Compromise
IP(s) / Hostname(s)
167[.]89[.]109[.]48
URLs
link[.]fivetier[.]com
Filename
- Defender.exe
- taskhost.exe1
Malware Hash (MD5/SHA1/SH256)
- a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4
- 703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe
Remediation
- Block the threat indicators at their respective controls.
- Avoid opening suspicious emails and do not download files attached in emails coming from untrusted sources.
- Regularly back up files.
- Keep systems and applications updated against vulnerabilities, or use virtual patching for legacy or unpatchable systems and software.
- Restrict user privileges to minimum.
- Implement network segmentation and data categorization to minimize further exposure of sensitive data.