Friday, June 21, 2024

Dangerous Dharma Ransomware Attack Emerged Again in Wide with New Variant & Extension

Re-emerging Dharma Ransomware distributed with new variant that developed to attack various organisation and individual systems and encrypting the victim files to demand the ransom amount.

It added various futures and tactics to infiltrate the victims computer when compare old version of Dharma Ransomware.

Unlike old version, it using various infections vectors such as Spam and phishing emails, Exploit Kits, SMB vulnerabilities and dropped by other malware.

Old variant of Dharma Ransomware appends the .dharma extension but newly emerged variant change the files using .arrow extension after completing the encryption.

There are two main types infection vectors which mainly used by the Dharma Ransomware.

  • RDP Brute Force Attack
  • Other Suspicious means

Attackers targeting RDP Protocol that running on the port 3389 and  brute force attack to gain the administrative credentials and later the obtain to perform various malicious activities with in the system.

Other suspicious activities comes under the chain of attacks that perform various modification in system registry once it get executed and autorun PowerShell script entries in the registry that leads to drop the and execute multiple malicious components.

Also Read:  New Ransomware Called “BlackRouter” Attack launched through Well-known Legitimate Remote Desktop Tool

Dharma Ransomware Infection Process

Once the Ransomware variant executed into the system, it deploy the component and generate a registry entries.

A main component called inf.exe which mimics as genuine Microsoft Corporations dllhost file that will enable the Remote Desktop Protocol (RDP) on the victim’s machine.

Later it create a new used once it enabled the RDP from hard-coded username list and and randomly generates a password for it.

According to Quick Heal Security Labs, Once the variant collect the information then it establish the connection into command & control server and share the username and password that created for new account including the vulnerable system that founded within the infected system network.

Later it receive the main Payload called rc.exe which is , Dharma ransomware and it start the encryption process with in the infected victims.

It will encrypt various file extensions such as image, videos, audio, video and other sensitive file and appends the extension ‘.arrow’ to the files it encrypts.

Finally a ransom note files will be dropped in .hta format which contains the clear information about the infection and payment details.

Infected victims are requested to contact the specific Email address ([email protected]) to get the decryption key to unlock the files.

Cyber criminals demand the payment via bitcoin and they forced victims to contact them with in 24 hour to reduce the ransom payment.

Dharma Ransomware about to encrypt the Following file extension .

.PNG .PSD .PSP .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV .DWG .DXF.GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX .INI .PRF .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJR.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG, .BZ2, .1CD”

Website

Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from Promokit.eu for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles