• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Malware • Ransomware • Security  /  An analysis of the Dharma ransomware outbreak by Quick Heal Security Labs
Ransomware
02 May 2018

An analysis of the Dharma ransomware outbreak by Quick Heal Security Labs

Written by Bajrang Mane
Bajrang Mane
Malware, Ransomware, Security
Estimated reading time: 7 minutes

On April 25, 2018, Quick Heal Security Labs issued an advisory on a new ransomware outbreak. We are observing a sudden spike of Dharma Ransomware. Even though Dharma ransomware is old, we observed its new variant which is encrypting files and appending the “.arrow” extension to it. Previously the encrypted files were having the “.dharma” extension.

Infection Vector

As specified in the advisory, along with the RDP brute force attack, we suspect that any one of the below infection vectors can be used to spread the ransomware.

Infection Vector

As specified in advisory, along with RDP brute force attack, we suspect any one of the below infection vectors can be used to spread the ransomware.

  1. Spam and phishing emails
  2. Exploit Kits
  3. SMB vulnerabilities like (EternalBlue, etc.)
  4. Drive-by-downloads
  5. Dropped by other malware

So, largely we will categorize these infection vectors into two categories.

  • Vector 1 – RDP Brute Force Attack
  • Vector 2 – Other Suspicious means

Let’s take a look at these infection vectors in detail.

Vector 1 – RDP Brute Force Attack

In this vector, the Remote Desktop Protocol (RDP) running on port 3389, is targeted with a typical brute force attack. As a result of the brute force, the attacker gets hold of victim’s administrative user credentials. Once credentials are obtained he gets the ability to carry out any type of attack. In this case, ransomware is used to infect the system. Also, it’s observed, before executing the ransomware payload it uninstalls the security software installed on the system.

We strongly advise our users to protect themselves by applying the below-mentioned firewall policies in Quick Heal/Seqrite firewall feature.

  • Deny access to Public IPs to important ports (in this case RDP port 3389)
  • Allow access to only IPs which are under your control
  • Along with blocking RDP port, we also suggest blocking SMB port 445. In general, it’s advised to block unused ports.

Get more such safety measures here.

Vector 2 – Other suspicious means

Here the source of infection is unknown but when we started analyzing the attack chain, it landed us on an interesting set of entries in victim’s registry. These were autorun PowerShell script entries in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services. Which drops and execute multiple malicious components. Below are the different components observed.

  • Inf.exe – It enables RDP and runs sticky key exploit.
  • i.exe – Gets the list of IP addressed from APR cache and sends to CnC server.
  • ipcheck.exe – It also finds out the list of IP address and passes on to ‘sc.exe’.
  • sc.exe – This is WannaCry scanner tool which runs on the list of IP address passed by ‘ipcheck.exe’. This gives a list of vulnerable machines, this list is sent to CnC server by ‘ipcheck.exe’.
  • rc.exe – This is main payload i.e Dharma ransomware

Malicious registry entries

Below were the malicious registry entries found.

Fig 1. Powershell autorun registry entries

inf.exe

The ‘inf.exe’ component is mainly used to enable the Remote Desktop Protocol (RDP) on the victim’s machine.

It pretends itself as genuine Microsoft Corporations dllhost file. More details are as shown in the figure below.

Fig 2. Fake version information of ‘inf.exe’ and ‘dllhost.exe’

Once executed it drops self-copy at ‘%system32%\DllHost\dllhost.exe’

It registers itself as a service for autorun on the next boot with name “COM Surrogate” as follows

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COM Surrogate]

“ImagePath”=C:\Windows\system32\DllHost\DllHost s

“DisplayName”=”COM Surrogate”

Malware executes following steps to Enable RDP.

Adds/Modify Registry Keys:

HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections = 0

HKLM\System\CurrentControlSet\Control\Terminal Server\AllowTSConnections = 0

Executes Commands:

Fig 3. Enable Remote desktop

Once RDP has enabled it creates a new user from one of the hardcoded username list and randomly generates a password for it. Further, it gives administrative privileges to the newly created user account and enables this account for the remote session. Figure 4 shows the commands used to perform above-mentioned activities.

Fig 4. Create a new user on the victim’s machine

Here is a hardcoded list of usernames:

Fig 5. Hard-coded list of usernames

It connects to a CnC server and sends victim’s data.

Fig 6. Sends users data to the CnC server

The POST parameters sent to CnC are as follows:

bits: Processor 32/64 bit
cpun: CPU details
osv: OS Version
username: Username of created account
userpass: Password of created account.

The server looks like a server of an infobot hosted at ‘hxxp://92.63.197.52/tundr/info2.php’.

i.exe / ipcheck.exe and sc.exe

Both components scan for a vulnerability in the systems present in the network and send the information to the server mentioned above.

i.exe / ipcheck.exe check for IPs present in ARP cache with the following command:

Fig 7. Command to check IPs present in ARP cache

Output:

Fig 8. Output: IPs present in ARP cache

It creates a pipe to save the above data. It reads the output and extract the IPs from it and give it as input to the sc.exe.

‘sc.exe’ is a vulnerability scanner, it scans the IP given as input for WannaCry vulnerability and saves the result into out.txt.

‘sc.exe’ is a WannaCry scanner tool by BiZone and it’s a vulnerability scanner for MS17-010 vulnerabilities.

Fig 9. WannaCry scanner tool

Command executed:

Fig 10. WannaCry scanner tool scanning for ip.

The above command is executed for every IP present in the ARP cache list.

Output from command in the above figure is saved in the out.txt in the working directory:

Fig 11. Output of WannaCry scanner tool.

i.exe/ipcheck.exe then parse “out.txt” to check for the vulnerable systems present in ARP caches IP list and then send the count of the vulnerable system to the server i.e. hxxp://92.63.197.52/tundr/infolan.php shown in the figure below.

Fig 12. Sends the vulnerable system’s information to the server

Above is the data send to the IP, number of vulnerable systems i.e. 9.

rc.exe

The rc.exe is main payload i.e., Dharma ransomware. This variant appends the extension ‘.arrow’ to the files it encrypts.

Once executed, it uses the below command to disable Windows’ repair and backup option using vssadmin.exe.

C:\Windows\system32\vssadmin.exe, vssadmin delete shadows /all /quiet

It uses the below command i.e. mode.com which is a genuine process of Windows.

C:\Windows\system32\mode.com, mode con cp select=1251

Fig. 13 Command to delete the backup files.

After execution of the above commands, Dharma ransomware starts its encryption activity. During our analysis, we found that that the ransomware basically encrypts both PE and Non-PE files and the extensions which it successfully encrypts while generating the scenario are as follows.

“.PNG .PSD .PSP .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV .DWG .DXF.GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX .INI .PRF .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJR.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG, .BZ2, .1CD”

If the file size is greater than 98304 bytes, the ransomware overwrites this file with encrypted content else creates a new file with encrypted content and deletes the old one. The ransomware encrypts all the above-mentioned extension files using AES 256 algorithm. The AES key is further encrypted with an RSA 1024. This encrypted AES key is kept at the end of the encrypted file.

The dropped infection marker files and encrypted files have the following pattern.

Fig. 14 Encrypted files Extension.

From the dropped infection marker files, .hta file has a ransom note.

Dharma’s ransom note

Fig. 15 Ransom note

Indicators of compromise:

7F37D17FCF507FBE7178882C9FBDE9DE
75C661F9DE5ADDC39951609F4E6817D4
05F62E28BE944C20650CD7A71B23312A
9E34B848FFE0F59EBEDC987695B633C8
70197A207C96188378B0B00833DC1EA1
2C9369AD62175AF8C5B9F993443F4743
551918E2DB5CD8EE29275D5BDA082192
6E35AB370A9AD9398B5E90F16EFAD759
EA0510F17D13DEED333CD785446B5C14
7FA4B675B3413A2606C94B923B8B1E79

hxxp://92.63.197.52/tundr/info2[.]php
hxxp://92.63.197.52/tundr/infolan[.]php
hxxp://cocinaparahombres.com/nutricion/i[.]exe
hxxp://cocinaparahombres.com/nutricion/sc[.]exe
hxxp://cocinaparahombres.com/nutricion/ipcheck[.]exe
hxxp://aloneintheweb.com/assets/info[.]exe
hxxp://www.netdenjd.com/article/inf[.]exe

We recommend our users to apply the latest Microsoft update packages and keep their antivirus up-to-date.

Subject Matter Experts

Prakash Galande, Pandurang Terkar, Dhwanit Shrivastava | Quick Heal Security Labs

 Previous PostThe Human Factor: Keeping Your Cybersecurity Defence Strong and S...
Next Post  5 Cybersecurity Myths for Linux Users
Bajrang Mane
About Bajrang Mane

Bajrang Mane is leading the Threat Analysis, Incident response, and Automation teams in Quick Heal Security Labs. Having spent 13 years in the IT security industry,...

Articles by Bajrang Mane »

Related Posts

  • BEC and Ransomware attacks unsettle businesses globally.

    BEC and Ransomware attacks increase during the pandemic

    January 22, 2021
  • Thanos Ransomware adopts hyper-weaponized RIPlace tactics — collects huge pay-offs.

    Thanos Ransomware Evading Anti-ransomware Protection With RIPlace Tactic

    November 18, 2020
  • Malware-as-a-service: Cybercrime’s nine-to-five

    Anyone, even you, can carry out cyberattacks with the Malware-as-a-Service model

    October 30, 2020

No Comments

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts

  • RAT used by Chinese cyberspies infiltrating Indian businesses RAT used by Chinese cyberspies infiltrating Indian businesses December 18, 2020
  • How can EdTech companies deal with rising security challenges? How can EdTech companies deal with rising security challenges? December 24, 2020
  • Benefits of having Intrusion Prevention/Detection System in your enterprise Benefits of having Intrusion Prevention/Detection System in your enterprise February 15, 2018

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • BEC and Ransomware attacks increase during the pandemic

    BEC and Ransomware attacks increase during the pandemic

    January 22, 2021
  • Are we prepared against risks generating from the IoT revolution?

    Are we prepared against risks generating from the IoT revolution?

    January 15, 2021
  • Proactiveness is the key to resolving hybrid cloud’s security challenges

    Proactiveness is the key to resolving hybrid cloud’s security challenges

    January 6, 2021

Stay Updated!

Topics

Antivirus For Linux (10) Antivirus For Server (9) BYOD (9) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (275) cyber security (25) Cyber threat (29) cyber threats (44) Data (10) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (102) Enterprise security (14) EPS (9) Exploit (12) firewall (11) hackers (9) incident response plan (9) IoT (10) malware (58) malware attack (22) malware attacks (12) MDM (25) mobile device management (9) Network security (18) Patch Management (12) phishing (16) Ransomware (55) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite MobiSMART
  • Unified Threat Management
  • Seqrite Secure Web Gateway
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.