show image

Dharma ransomware attack uses anti-virus software to trick targets

Cyber criminals have devised a cunning way to distract users from a ransomware attack: sending them anti-virus software.

The attack allows hackers to discreetly execute Dharma ransomware, which was used in an unsuccessful bid to extort a Texan hospital last November.

According to new research by TrendMicro, the ransomware is contained within a file emailed to targets. Once the file has been downloaded, users are prompted to enter a password included in the body of the email. The archive then opens a malicious file, the dharma ransomware, as well as an outdated version of ESET’s anti-virus remover software.

As the ESET software is being installed, the Dharma ransomware quietly starts encrypting users files in the background – although the two processes are not interdependent.

“The tool is legitimate software bundled with the malware, so user interaction is necessary to fully install it,” Trend’s Raphael Centeno explains in a blog post.

“The ransomware will run even if the tool installation is not triggered, and the tool can be installed even if the ransomware does not run. The installation process seems included just to trick users into thinking no malicious activity is going on.”

The method is just one of the unusual ways hackers have attempted to work their way into systems in recent years. Last May, researchers at Cisco Talos discovered a remote access trojan that took a reading of the target computer’s temperature, to assess whether it was running a series of virtual machines. VMs are often used by researchers to isolate and analyse malware.

In a statement, ESET said: “The article describes the well-known practice for malware to be bundled with legitimate application(s). In the specific case Trend Micro is documenting, an official and unmodified ESET AV Remover was used.

“However, any other application could be used this way. The main reason is to distract the user, this application is used as a decoy application. ESET threat detection engineers have seen several cases of ransomware packed in self-extract package together with some clean files or hack/keygen/crack recently. So this is nothing new.”