23 June 2021

New wormable DarkRadiation ransomware targets Linux distros


New wormable DarkRadiation ransomware targets Linux distros

Security researchers at Trend Micro published an interesting report focused on a new ransomware threat targeting specific Linux distributions, namely Red Hat/CentOS and Debian Linux distros.

Dubbed ‘DarkRadiation’, the ransomware program is coded in Bash and uses OpenSSL’s AES algorithm and CBC mode for its encryption process. It also uses a Telegram bot for command-and-control (C&C) communication using hardcoded API keys.

The attack involves multiple stages, and the threat actors leverage a custom-built worm, as well as public tools to obfuscate the malicious bash scripts they use. It appears that the scripts are still under development, the researchers noted. They also found that most components of this attack have very low detection numbers in Virus Total.

The DarkRadiation ransomware is spread using the SSH worm (“downloader.sh”) that brute-forces weak SSH keys and passwords. If a connection is established successfully, the worm component will deploy the DarkRadiation ransomware and proceed with the attack.

Upon execution, DarkRadiation ransomware first checks if it is run as root, and if it is so, it checks if Wget, cURL, and OpenSSL are installed. If they are not, the malware then downloads and installs them.

“Before the encryption process, the ransomware retrieves a list of all available users on an infected system by querying the "/etc/shadow" file. It overwrites all existing user passwords with “megapassword” and deletes all existing users except “ferrum.” After that, the malware creates a new user from its configuration section with username “ferrum” and password “MegPw0rD3”. It executes "usermod --shell /bin/nologin" command to disable all existing shell users on an infected system,” the researchers said.

DarkRadiation appends radioactive symbols (“☢”) as a file extension for an encrypted file and sends the encryption status to the attacker via Telegram’s API. The ransomware also stops and disables all running Docker containers on an infected system and then creates a ransom note.

Trend Micro researchers shared Indicators of Compromise related to this threat in their blog post.


Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024