Security researchers from Trend Micro have discovered an attack chain using an SSH worm and DarkRadiation ransomware. Most components of this attack chain target RedHat and CentOS Linux distributions. In some scripts, Debian-based Linux distributions are targeted.
What has happened?
According to researchers, hacking tools are used to move laterally on targeted networks to deliver ransomware. These tools included exploits for Red Hat/CentOS, binary injectors, and reconnaissance/spreader scripts.
The analysis of the attack chain has revealed an SSH worm and ransomware script. The ransomware is named DarkRadiation and downloader[.]sh script as SSH worm.
The SSH worm accepts base64-encoded configuration credentials as arguments that are dumped after the initial foothold on systems or used as a brute-force list to target systems with weak passwords.
The worm checks if the given configuration is ready to use an SSH password attack or an SSH key base attack. Further, it tests SSH keys or passwords against the targeted IP address.
For encryption, the ransomware employs OpenSSL’s AES algorithm in CBC mode. The malware gets an encryption password with a command-line argument passed by the worm script.
The SSH Worm
The SSH Worm has an install_tools function to download and install required utilities on an infected system if they are not already installed.
The worm downloads and installs prerequisite packages for CentOS or RHEL-based Linux distribution because it uses Yellowdog Updater, a modified (YUM) package manager.
Other hacking tools and DarkRadiation variants use YUM to download/install essential packages. Ultimately, it reports the scanning/spreading results to the operator via Telegram’s API.
The DarkRadiation ransomware
The ransomware is written in a bash script and targets Red Hat/CentOS and Debian Linux distributions. The script named supermicro_cr_third is suspected to be the latest version of this ransomware.
This script is under development, and various versions of this ransomware are similar with minor changes. Some functions are used by the malware author, while some are not.
The script is obfuscated with node-bash-obfuscate, which is a Node[.]js CLI tool and library to obfuscate bash scripts. It can divide the bash script into chunks.
Conclusion
Usually, the adversary uses multiple hacking tools to move laterally on targeted networks. However, the hacking tools in this attack have very low detection numbers in VirusTotal. Thus, it is anticipated that the attackers are probably trying to use low-profile tools to stay hidden from security agencies.