Posted on Leave a comment

Bash Based Ransomware Named “DarkRadiation” Targets Various Linux Distributions.

Researchers from Trend micro had identified a new ransomware strain completely written in bash scripting language which is targeting Linux distributions like Redhat, and other Debian based distributions.

The cyber security experts also observed that while analyzing the malware they have identified a “api_attack/” directory which has Secure Shell(SSH) worms(responsible for spreading this ransomware) and other ransomware scripts. Apart from that, they also observed various custom and open source scripts.

Source: Trend micro

“For example, binaryinject1.so is a modified version of a rootkit called “libprocesshider” that hides a process under Linux using the ld preloader and “pwd.c” (“CVE-2017-1000253.c”), which is a publicly available exploit for CentOS 7 kernel versions 3.10.0-514.21.2.el7.x86_64 and 3.10.0-514.26.1.el7.x86_64. “mentioned in the blog post.

The analysis also reveals the ““Supermicro_cr_third”” in this “api_attack/” directory seems to be full version of the ransomware program which is completely obfuscated using the open source tool called “node-bash-obfuscate” that commonly obfuscates the bash scripts.

Figure 2. Threat actor’s hack tools directory for /api_attack

Encryption process:

Figure 24. super_micro_third encryption process
Source: Trend Micro

DarkRadiation seems to check if its been run as “root” user . If not, it will display “Please run as root user” message to user and removes itself and exits.

On the other hand, If its run as privileged user, the malware checks for tools like “Wget, Curl, and OpenSSL are installed, if not, the malware downloads and installs them.

“The bot_who function is a bash script that takes a snapshot of the users that are currently logged into a Unix computer system using the “who” command. It stores the result in a hidden file called (“/tmp/.ccw”).

Afterward, every five seconds it again executes the “who” command and checks the output “.ccw” file. If they are not equal (new user logging in), the malware sends a message to the attacker via Telegram’s API” reads the blog.

“The malware uses OpenSSL’s AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram’s API to send an infection status to the threat actor(s). The malware gets an encryption password through the command-line argument passed by the worm script.” mentioned in the blog post.

It is also worth noting that the ransomware appends radioactive symbols (“☢”) as a file extension for an encrypted file. 

Indicators of Compromise:

C&C Server IOCs

  • Malware command and control server: 185[.]141[.]25[.]168
  • Hack tools directory:  hxxps[://]u2wgg22a111ssy[.]space
  • Hack tools directory: hxxps[://]www[.]0zr33n33fo[.]space
  • Hack tools directory: hxxp[://]vk-o2vox-n[.]pp[.]ua
  • Hack tools directory: hxxps[://]m0troppm[.]site
  • Hack tools directory: hxxps[://]apooow4[.]space
  • Hack tools directory: hxxps[://]ga345ss34u[.]space
Script nameSha256
supermicro_crd0d3743384e400568587d1bd4b768f7555cc13ad163f5b0c3ed66fdc2d29b810
supermicro_bt652ee7b470c393c1de1dfdcd8cb834ff0dd23c93646739f1f475f71a6c138edd
supermicro_cr_third (obfuscated)9f99cf2bdf2e5dbd2ccc3c09ddcc2b4cba11a860b7e74c17a1cdea6910737b11
supermicro_cr_third (deobfuscated)654d19620d48ff1f00a4d91566e705912d515c17d7615d0625f6b4ace80f8e3a
test.sh79aee7a4459d49dc6dfebf1a45d32ccc3769a1e5c1f231777ced3769607ba9c1
downloader.sh.saveda68dc9d5571ef4729adda86f5a21d3f4478ddbae2de937f34f57f450d8a3c76
downloader.sh3bab2947305c00df66cb4d6aaef006f10aca348c17aa2fd28e53363a08b7ec68
crypt3.sh0243ac9f6148098de0b5f215c6e9802663284432492d29f7443a5dc36cb9aab5
crypt2_first.she380c4b48cec730db1e32cc6a5bea752549bf0b1fb5e7d4a20776ef4f39a8842
bt_install.shfdd8c27495fbaa855603df4f774fe86bbc21743f59fd039f734feb07704805bd
binaryinject1.so7a15e51e5dc6a9bfe0104f731e7def854abca5154317198dad73f32e1aead740
exploit4.pyc869261902a1364dd3decb2f8dce54b81621f20abd7204a427a3365c8dcc9d78
exploit3.py503276929ce5c56c626eaa5c3aca0e0160743bf3c8d415042dc3f9bb8c8b44a2
exploit1.py847d0057ade1d6ca0fedc5f48e76dd076fa4611deb77c490899f49701e87b6dd
pwd.c14584a716c5378405cba188dd60cec03571965329f52cfbd8c54116fa2d59377

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply