Researchers from Trend micro had identified a new ransomware strain completely written in bash scripting language which is targeting Linux distributions like Redhat, and other Debian based distributions.
The cyber security experts also observed that while analyzing the malware they have identified a “api_attack/” directory which has Secure Shell(SSH) worms(responsible for spreading this ransomware) and other ransomware scripts. Apart from that, they also observed various custom and open source scripts.
“For example, binaryinject1.so is a modified version of a rootkit called “libprocesshider” that hides a process under Linux using the ld preloader and “pwd.c” (“CVE-2017-1000253.c”), which is a publicly available exploit for CentOS 7 kernel versions 3.10.0-514.21.2.el7.x86_64 and 3.10.0-514.26.1.el7.x86_64. “mentioned in the blog post.
The analysis also reveals the ““Supermicro_cr_third”” in this “api_attack/” directory seems to be full version of the ransomware program which is completely obfuscated using the open source tool called “node-bash-obfuscate” that commonly obfuscates the bash scripts.
DarkRadiation seems to check if its been run as “root” user . If not, it will display “Please run as root user” message to user and removes itself and exits.
On the other hand, If its run as privileged user, the malware checks for tools like “Wget, Curl, and OpenSSL are installed, if not, the malware downloads and installs them.
“The bot_who function is a bash script that takes a snapshot of the users that are currently logged into a Unix computer system using the “who” command. It stores the result in a hidden file called (“/tmp/.ccw”). “
“Afterward, every five seconds it again executes the “who” command and checks the output “.ccw” file. If they are not equal (new user logging in), the malware sends a message to the attacker via Telegram’s API” reads the blog.
“The malware uses OpenSSL’s AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram’s API to send an infection status to the threat actor(s). The malware gets an encryption password through the command-line argument passed by the worm script.” mentioned in the blog post.
It is also worth noting that the ransomware appends radioactive symbols (“☢”) as a file extension for an encrypted file.
Indicators of Compromise:
C&C Server IOCs
- Malware command and control server: 185[.]141[.]25[.]168
- Hack tools directory: hxxps[://]u2wgg22a111ssy[.]space
- Hack tools directory: hxxps[://]www[.]0zr33n33fo[.]space
- Hack tools directory: hxxp[://]vk-o2vox-n[.]pp[.]ua
- Hack tools directory: hxxps[://]m0troppm[.]site
- Hack tools directory: hxxps[://]apooow4[.]space
- Hack tools directory: hxxps[://]ga345ss34u[.]space
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1