Dharma ransomware actors abuse AV tool to infect computers

Dharma ransomware

Image: trendmicro

Dharma ransomware was first discovered in 2016, using AES algorithm which emerged as a threat targeting victim’s network-attached storage device before it evolved to target other devices. The new version of Dharma ransomware is spread by spam, and once the user clicks on the link in the email, the user is prompted to enter the password. Once the user enters the password, it starts downloading a self-extracting file named Defender[.]exe and downloads the malicious file taskhost[.]exe.

According to TrendMicro’s analysis, taskhost[.]exe is a file that is linked to Dharma ransomware. Before encrypting files, ransomware uses the old version of the ESET AV Remover installer to trick users.

Image: trendmicro

“The ransomware uses this old ESET AV Remover installer, which appears unmodified based on initial scanning, to divert attention as it encrypts files on the victim’s device. When the self-extracting archive runs, Dharma starts encrypting files in the background and the ESET AV Remover installation begins. The user will see the ESET GUI onscreen, a distraction from Dharma’s malicious activities.”

Once ESET AV Remover starts the installation, it starts the encryption process in the background, but the ransomware runs independently of AV Remover.

The new Dharma ransomware shows that attackers upgraded old threats and used new technologies. Trend Micro issues some recommendations to the user for avoiding malware.

Source: trendmicro