Οι ερευνητές προειδοποίησαν για νέο ransomware DarkRadiation

Helga SmithΙούνιος 23, 2021Τελευταία ενημέρωση: Ιούλιος 12, 2021
24 2 ανάγνωση λεπτών

Trend Micro cybersecurity experts έγραψε of a new ransomware called DarkRadiation. The malware is designed to attack Red Hat/CentOS and Debian Linux distributions. To communicate with the C&Διακομιστής C, the attackers use the Telegram messenger.

The malware uses AES (Advanced Encryption Standard) symmetric block cipher algorithm with CBC mode to encrypt files in various directories. At the present time, there is no information about the methods used to spread the malware, and there is no evidence that ransomware was used in actual attacks.

The information was obtained as a result of analysis of a set of hacking tools hosted in the infrastructure of an unidentified attacker in the api_attack directory. The api_attack folder contained several versions of DarkRadiation and the SSH worm (downloader.sh) responsible for spreading the malware.

The ransomware is under active development, for the purpose of obfuscation it uses the open-source tool node-bash-obfuscate, which allows you to split the code into several fragments, then assign a variable name to each segment and replace the original script with references to variables.

Most of the tools have very low detection numbers in Virus Total. It seems that some of the scripts are still in the development phase.say the researchers.

DarkRadiation checks to see if it was started as root and uses elevated permissions to download and install the Wget, cURL and OpenSSL libraries. The software also periodically collects information about users logged into the Unix system using the “οι οποίοι” command every five seconds. The data is then transferred to a server controlled by the attacker using the Telegram API.

At the last stage of the attack, the malware creates a list of all available users on the compromised system, overwrites existing passwords with megapassword and deletes all shell users, before creating a new user ferrum and password MegPw0rD3 to continue the encryption process.

The ransomware can delete all users on an infected system (although in some variants it keeps the root user) and can create an account only for the attacker. As for file encryption, the ransomware uses OpenSSL’s AES algorithm to encrypt either the file with specific extensions or all files at the given directory.write Trend Micro researchers.

DarkRadiation also disables all running Docker containers on the infected system and generates a ransom note. Σύμφωνα με ειδικούς, the ransomware adds radioactive characters (.) as an extension to the encrypted file.

DarkRadiation contains the install_tools function to download and install the necessary utilities on the infected system if they are not already installed. The worm downloads and installs only the necessary packages for a Linux distribution based on CentOS or RHEL, since it only uses the Yellowdog Updater, Modified (YUM) package manager.

Επιτρέψτε μου να σας υπενθυμίσω ότι μίλησα επίσης για το γεγονός ότι Το παράξενο κακόβουλο λογισμικό εμποδίζει τα θύματα να επισκέπτονται ιστότοπους πειρατών.

Ετικέτες
Helga SmithΙούνιος 23, 2021Τελευταία ενημέρωση: Ιούλιος 12, 2021
24 2 ανάγνωση λεπτών

Helga Smith

Ενδιαφέρομαι πάντα για τις επιστήμες των υπολογιστών, ειδικά την ασφάλεια δεδομένων και το θέμα, που ονομάζεται σήμερα "επιστημονικά δεδομένα", από τα πρώτα μου χρόνια. Πριν μπείτε στην ομάδα κατάργησης ιών ως αρχισυντάκτης, Εργάστηκα ως ειδικός στον τομέα της ασφάλειας στον κυβερνοχώρο σε πολλές εταιρείες, συμπεριλαμβανομένου ενός από τους εργολάβους της Amazon. Μια άλλη εμπειρία: Έχω διδάξει σε πανεπιστήμια Arden και Reading.

Αφήστε μια απάντηση

Αυτό το site χρησιμοποιεί Akismet να μειώσει το spam. Μάθετε πώς γίνεται επεξεργασία των δεδομένων σας σχόλιο.

Κουμπί Επιστροφή στην κορυφή