Group-IB researchers have detected attacks on multiple companies across the globe that are carried out by Iranian newbie threat actors for financial gain. These attacks have been actively orchestrated since at least June 2020. The threat actors are using Dharma ransomware along with a set of other publicly available tools to target companies specifically in Russia, Japan, China, and India. Once compromised, the gang typically demands a ransom between 1-5 Bitcoins (BTC). The threat actors seem to be naïve since they did not have a fixed plan about what to do with the compromised networks.
Key Highlights
- Iranian newbies are using Dharma ransomware, also known as Crysis, to target multiple companies in Russia, Japan, China, and India.
- All the targeted organizations had hosts with Internet-facing RDP and weak credentials.
- The operators typically demanded 1-5 BTC as ransom.
- The operators used Defender Control and Your Uninstaller to disable built-in antivirus software.
The Modus Operandi
In a detailed investigation carried out by the research team at Group-IB, a threat intelligence and cybersecurity company, it was found that the source code of the Dharma ransomware has been up for sale in the underground market since March 2020 and is distributed as ransomware-as-a-service (RaaS). This is the exact code that has been used by the Persian-speaking newbie threat actors for Dharma ransomware distribution.
- The operators first scanned ranges of IPs for hosts with Internet-facing RDP and weak credentials in countries like Russia, Japan, China, and India. They used a popular software called Masscan for doing this. Incidentally, the same technique was employed by Fxmsp, an infamous Russian underground seller who made a fortune selling access to corporate networks.
- On identifying the vulnerable hosts, the attackers executed a brute-force attack to have their way into the system. On some instances, they also attempted elevation of privileges using the exploit for CVE-2017-0213. On establishing an RDP connection, they decided on which tools to deploy for moving laterally. Additionally, the attackers used “Defender Control” and “Your Uninstaller” to disable built-in antivirus software.
- They then scanned for accessible hosts in the compromised network using the publicly available tool Advanced Port Scanner. The adversary used the collected information to move laterally through the network using the RDP protocol.
- Finally, the attackers dropped and executed a variant of Dharma ransomware and executed it manually to demand a ransom in the range of 1-5 BTC.
Oleg Skulkin, Senior DFIR Analyst at Group-IB, said, “The fact that Dharma ransomware’s source code has been made widely available has led to the increase in the number of operators deploying it. It’s surprising that Dharma landed in the hands of Iranian script kiddies who used it for financial gain, as Iran has traditionally seen a lot of state-sponsored attackers engaged in espionage and sabotage. Despite that, these cybercriminals use quite common tactics, techniques, and procedures that have been effective.”
The researchers have suggested to change or maintain a close vigil on the default RDP port 3389 as the attackers usually use this for brute-forcing into the system.
