Dharma Ransomware Abuses Trust, Poses as Antivirus Software
The Dharma ransomware has evolved a new tactic of abusing trust by posing as antivirus software to claim its victims.
Dharma, which had first emerged in 2016, has been behind many high-profile cyberattacks in recent times. Late last year this ransomware infected a hospital in Texas and encrypted many records stored in their network. (The hospital, however, recovered all records without paying the ransom).
Now, researchers at Trend Micro have found that new samples of this ransomware exhibit a new technique. A Trend Micro blog post says, “Trend Micro recently found new samples of Dharma ransomware using a new technique: using software installation as a distraction to help hide malicious activities.”
Like most other ransomware campaigns, Dharma attacks too start off as phishing scams, luring victims into downloading malicious files. Messages that claim to be from Microsoft and alerting users that their PCs are at risk and are corrupted following “unusual behavior” would urge them to update and verify their antivirus by accessing a download link. Things take off further from this point onwards.
Trend Micro security researcher Raphael Centeno explains, “The downloaded file is a self-extracting archive named Defender.exe, which drops the malicious file taskhost.exe as well as the installer of an old version of ESET AV Remover renamed as Defender_nt32_enu.exe. Trend Micro identifies taskhost.exe as a file connected to the Dharma ransomware (detected as RANSOM.WIN32.DHARMA.THDAAAI)”
“The ransomware uses this old ESET AV Remover installer, which appears unmodified based on initial scanning, to divert attention as it encrypts files on the victim’s device. When the self-extracting archive runs, Dharma starts encrypting files in the background and the ESET AV Remover installation begins. The user will see the ESET GUI onscreen, a distraction from Dharma’s malicious activities, ” the Trend Micro expert further writes.
Thus, while the user is distracted and busy interacting with the ESET AV remover interface displayed on the desktop and perhaps going on with the installation, the Dharma ransomware does its job. It goes on encrypting files in the system. This happens even if the user doesn’t go for installing the software.
The Trend Micro blog post says, “The AV Remover is a working tool that goes through the familiar installation routine if it is executed. However, the ransomware will still encrypt files even if the installation is not started. The malware runs on a different instance than the software installation, so their behavior is not related.”
It further explains, “The tool is legitimate software bundled with the malware, so user interaction is necessary to fully install it. The ransomware will run even if the tool installation is not triggered, and the tool can be installed even if the ransomware does not run. The installation process seems included just to trick users into thinking no malicious activity is going on.”
Upon completion of the installation, the user would get the ransom note demanding cryptocurrency payment for unlocking the encrypted files.
Trend Micro had intimated ESET about the issue, and ESET acknowledged by saying that the Trend Micro article described a well-known practice for malware to be bundled with legitimate application(s) and that in this specific case, an official and unmodified ESET AV Remover has been used. ESET points out that any other application could be used in a similar way to distract the user and since ESET researchers have come across several such cases, it’s nothing new. The statement further says, “In the specific case described by Trend Micro, the ransomware is executed right after our remover application, but the remover has a dialogue and waits for user interaction, so there is
no chance to remove any AV solution before the ransomware is fully executed.”
Trend Micro researchers also suggest prevention methods like securing email gateways, regularly backing up files, updating systems and applications, enforcing the principle of least privilege, implementing in-depth defense measures etc.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.