A new Dharma ransomware strain is using ESET AV Remover installations as a “smoke screen” technique designed to distract victims while their files are encrypted in the background as detailed by Trend Micro.

The ransomware is pushed by the attackers on their targets’ computers using a spam campaign which delivers email attachments containing a Dharma dropper binary packed as a password-protected self-extracting archive named Defender.exe and hosted on the hacked server of link[.]fivetier[.]com.

Dharma infection chain

The password for the malicious attachment is listed in the spam email, a technique designed to lure curios victims to open the archive and inadvertently launch the Dharma-infected executable on their system.

Once Defender.exe is executed, it will drop on the system an old ESET AV Remover installer named Defender_nt32_enu.exe, and a taskhost.exe Dharma binary added to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ which gets launched and starts encrypting the victim’s hard drives.

The ESET AV Remover installer will automatically be launched after the self-extracting archive is executed, attracting the victim’s attention while the Dharma ransomware encrypts the contents of the hard drive in the background.

It also uses the Enigma1crypt@aol.com email address as a way to contact the ransomware developer.

As Trend Micro says in their analysis of this new Dharma behavior, “the ransomware will still encrypt files even if the installation is not started. The malware runs on a different instance than the software installation, so their behavior is not related.”

Additionally, “The ransomware will run even if the tool installation is not triggered, and the tool can be installed even if the ransomware does not run. The installation process seems included just to trick users into thinking no malicious activity is going on.”

Given that the ESET AV Remover is legitimate software signed with a valid ESET digital signature on June 22, 2017, by bundling it together with their malware the attackers are trying to pull a “magic trick” designed to divert the victims focus, keeping them busy and their attention directed at something else while Dharma quickly renders the data on their hard drives unusable.

© 2020 - NCA CERT

For emergency cases         0800-977-977