An analysis of the Dharma ransomware outbreak by Quick Heal Security Labs

Credit to Author: Bajrang Mane| Date: Wed, 02 May 2018 10:27:50 +0000

Estimated reading time: 6 minutesOn April 25, 2018, Quick Heal Security Labs issued an advisory on a new ransomware outbreak. We are observing a sudden spike of Dharma Ransomware. Even though Dharma ransomware is old, we observed its new variant which is encrypting files and appending the “.arrow” extension to it. Previously the encrypted files were having the “.dharma” extension. Infection Vector As specified in the advisory, along with the RDP brute force attack, we suspect that any one of the below infection vectors can be used to spread the ransomware. Spam and phishing emails Exploit Kits SMB vulnerabilities like (EternalBlue, etc.) Drive-by-downloads Dropped by other malware So, largely we will categorize these infection vectors into two categories. Vector 1 – RDP Brute Force Attack Vector 2 – Other Suspicious means Let’s take a look at these infection vectors in detail. Vector 1 – RDP Brute Force Attack In this vector, the Remote Desktop Protocol (RDP) running on port 3389, is targeted with a typical brute force attack. As a result of the brute force, the attacker gets hold of victim’s administrative user credentials. Once credentials are obtained he gets the ability to carry out any type of attack. In this case, ransomware is used to infect the system. Also, it’s observed, before executing the ransomware payload it uninstalls the security software installed on the system. We strongly advise our users to protect themselves by applying the below-mentioned firewall policies in Quick Heal/Seqrite firewall feature. Deny access to Public IPs to important ports (in this case RDP port 3389) Allow access to only IPs which are under your control Along with blocking RDP port, we also suggest blocking SMB port 445. In general, it’s advised to block unused ports. Get more such safety measures here. Vector 2 – Other suspicious means Here the source of infection is unknown but when we started analyzing the attack chain, it landed us on an interesting set of entries in victim’s registry. These were autorun PowerShell script entries in the registry under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservices. Which drops and execute multiple malicious components. Below are the different components observed. Inf.exe – It enables RDP and runs sticky key exploit. i.exe – Gets the list of IP addressed from APR cache and sends to CnC server. ipcheck.exe – It also finds out the list of IP address and passes on to ‘sc.exe’. sc.exe – This is WannaCry scanner tool which runs on the list of IP address passed by ‘ipcheck.exe’. This gives a list of vulnerable machines, this list is sent to CnC server by ‘ipcheck.exe’. rc.exe – This is main payload i.e Dharma ransomware Malicious registry entries Below were the malicious registry entries found. Fig 1. Powershell autorun registry entries inf.exe The ‘inf.exe’ component is mainly used to enable the Remote Desktop Protocol (RDP) on the victim’s machine. It pretends itself as genuine Microsoft Corporations dllhost file. More details are as shown in the figure below. Fig 2. Fake version information of ‘inf.exe’ and ‘dllhost.exe’ Once executed it drops self-copy at ‘%system32%DllHostdllhost.exe’ It registers itself as a service for autorun on the next boot with name “COM Surrogate” as follows [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCOM Surrogate] “ImagePath”=C:Windowssystem32DllHostDllHost s “DisplayName”=”COM Surrogate” Malware executes following steps to Enable RDP. Adds/Modify Registry Keys: HKLMSystemCurrentControlSetControlTerminal ServerfDenyTSConnections = 0 HKLMSystemCurrentControlSetControlTerminal ServerAllowTSConnections = 0 Executes Commands: Fig 3. Enable Remote desktop Ones RDP has enabled it creates a new user from one of the hardcoded username list and randomly generates a password for it. Further, it gives administrative privileges to the newly created user account and enables this account for the remote session. Figure 4 shows the commands used to perform above-mentioned activities. Fig 4. Create a new user on the victim’s machine Here is a hardcoded list of usernames: Fig 5. Hard-coded list of usernames It connects to a CnC server and sends victim’s data. Fig 6. Sends users data to the CnC server The POST parameters sent to CnC are as follows: bits: Processor 32/64 bit cpun: CPU details osv: OS Version username: Username of created account userpass: Password of created account. The server looks like a server of an infobot hosted at ‘hxxp://92.63.197.52/tundr/info2.php’. i.exe / ipcheck.exe and sc.exe Both components scan for a vulnerability…
http://blogs.quickheal.com/feed/