• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Turla LightNeuron Backdoor Targeting Microsoft Exchange Mail Servers Using Steganography
May 9, 2019
Rewterz Threat Alert – New ELECTRICFISH Tool by HIDDEN COBRA
May 10, 2019

Rewterz Threat Alert – Dharma Ransomware Uses Legit Antivirus Tool to Distract Victims During Encryption

May 9, 2019

Severity

Medium

Analysis Summary


New Dharma ransomware strain uses the ESET AV Remover installations to distract victims while encrypting their files in the background. The attack initiates with a spam campaign delivering email attachments containing a Dharma dropper binary packed as a password-protected self-extracting archive named Defender.exe which is hosted on the hacked server of link[.]fivetier[.]com.

image-1557394402.png

The spam email contains the password for the malicious attachment, luring victims to open the archive and launch the Dharma executable on their system. Below is a preview of the email.

image-1557394456.png

Once Defender.exe is executed, it drops an old ESET AV Remover installer named Defender_nt32_enu.exe on the system, and a taskhost.exe Dharma binary added to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ which gets launched and starts encrypting the victim’s hard drives. The ransomware appends the ETH extension to encrypted file names. Researchers found that the ransomware will still encrypt files even if the installation is not started, hence the two processes are unrelated. Following ransom note is found on victim machine after encryption of files, containing an email address to be contacted for a ransom payment and decryption of files.

image-1557394679.png

Impact

Files Encryption

Indicators of Compromise

IP(s) / Hostname(s)

167[.]89[.]109[.]48

URLs

link[.]fivetier[.]com

Filename

  • Defender.exe
  • taskhost.exe1

Malware Hash (MD5/SHA1/SH256)

  • a5de5b0e2a1da6e958955c189db72467ec0f8daaa9f9f5ccc44e71c6c5d8add4
  • 703b57adaf02eef74097e5de9d0bbd06fc2c29ea7f92c90d54a0b9a01172babe

Remediation

  • Block the threat indicators at their respective controls.
  • Avoid opening suspicious emails and do not download files attached in emails coming from untrusted sources.
  • Regularly back up files.
  • Keep systems and applications updated against vulnerabilities, or use virtual patching for legacy or unpatchable systems and software.
  • Restrict user privileges to minimum.
  • Implement network segmentation and data categorization to minimize further exposure of sensitive data.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.