New Dharma ransomware strain uses the ESET AV Remover installations to distract victims while encrypting their files in the background. The attack initiates with a spam campaign delivering email attachments containing a Dharma dropper binary packed as a password-protected self-extracting archive named Defender.exe which is hosted on the hacked server of link[.]fivetier[.]com.
The spam email contains the password for the malicious attachment, luring victims to open the archive and launch the Dharma executable on their system. Below is a preview of the email.
Once Defender.exe is executed, it drops an old ESET AV Remover installer named Defender_nt32_enu.exe on the system, and a taskhost.exe Dharma binary added to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ which gets launched and starts encrypting the victim’s hard drives. The ransomware appends the ETH extension to encrypted file names. Researchers found that the ransomware will still encrypt files even if the installation is not started, hence the two processes are unrelated. Following ransom note is found on victim machine after encryption of files, containing an email address to be contacted for a ransom payment and decryption of files.
Indicators of Compromise
IP(s) / Hostname(s)
Malware Hash (MD5/SHA1/SH256)