Dharma ransomware actors abuse AV tool to infect computers

Dharma ransomware was first discovered in 2016, using AES algorithm which emerged as a threat targeting victim’s network-attached storage device before it evolved to target other devices. The new version of Dharma ransomware is spread by spam, and once the user clicks on the link in the email, the user is prompted to enter the password. Once the user enters the password, it starts downloading a self-extracting file named Defender[.]exe and downloads the malicious file taskhost[.]exe.

According to TrendMicro’s analysis, taskhost[.]exe is a file that is linked to Dharma ransomware. Before encrypting files, ransomware uses the old version of the ESET AV Remover installer to trick users.

Image: trendmicro

“The ransomware uses this old ESET AV Remover installer, which appears unmodified based on initial scanning, to divert attention as it encrypts files on the victim’s device. When the self-extracting archive runs, Dharma starts encrypting files in the background and the ESET AV Remover installation begins. The user will see the ESET GUI onscreen, a distraction from Dharma’s malicious activities.”

Once ESET AV Remover starts the installation, it starts the encryption process in the background, but the ransomware runs independently of AV Remover.

The new Dharma ransomware shows that attackers upgraded old threats and used new technologies. Trend Micro issues some recommendations to the user for avoiding malware.

• Secure email gateways to thwart threats via spam and avoid opening suspicious emails.
• Regularly back up files.
• Keep systems and applications updated, or use virtual patching for legacy or unpatchable systems and software.
• Enforce the principle of least privilege: Secure system administrations tools that attackers could abuse; implement network segmentation and data categorization to minimize further exposure of mission-critical and sensitive data; and disable third-party or outdated components that could be used as entry points.
• Implement defense in depth: Additional layers of security like application control and behavior monitoring helps thwart unwanted modifications to the system or execution of anomalous files.
• Foster a culture of security in the workplace

Source: trendmicro