A new ransomware attack has been spotted by the cybersecurity analysts in the Docker and Linux cloud containers. The strain which is known as "DarkRadiation" has been seen as well on the popular chatting app Telegram.
DarkRadiation Ransomware Infects Multiple Outlets
According to last week's report from Trend Micro, the researchers have discovered that the Debian Linux and CentOS/Red Hat channels have been the targets of this malware. They are published in Bash script.
In file encryption, the OpenSSL's AES algorithm, together with the CBC mode was used. In Telegram, a messaging app, the infection spread on its API.
On May 28, @r2dbU7z, who usually posts information about malware attacks and computer systems on Twitter, spotted the toolset in the attack. In addition, there was an "api_attack" directory that was unveiled which is believed to be the infrastructure of the threat actor.
It's important to know the extent of the ransomware attack. In the case of DarkRadiation, the multi-stage penetration was seen on Bash scripts. The stored files would be stored then later be encrypted through the hardcoded API keys in the Telegram API.
Currently, ransomware is also notorious for dividing the codes into sections then assigning a particular identity for the variable for each segment. It would now alter the original script with the references from previous variables. It's made possible through "node-bash-obfuscate," an open-source tool.
When the software is run, DarkRadation would run a quick assessment to know if the system is controlled by a root user. If it's the case, it would activate the installation of OpenSSL libraries, as well as cURL, and Wget. The common culprit in the Unix system will penetrate the server by the "who" command that is enabled every five seconds.
DarkRadiation Tries to Download Tools Using Python-based Package Manager
The Hacker News reported on Tuesday, June 22, that Yellowdog Updater, Modified or YUM, the ransomware would try downloading the required tools to begin the infection spread. Among the systems that make use of the package manager, Linux distros, and RedHat would be the easy targets.
There is a retrieval of the list of the compromised system during the waning stage of the attack. Your information would be overwritten and they would remember a specific password "megapassword." In the process, all shell users would be exterminated and the "ferrum" username would emerge together with the "MegPw0rD3" password before the encryption begins.
All running Docker containers would also halt once DarkRadiation begins infecting them. By that time, the ransom note would now appear next to the user's screen.
According to SentinelOne researchers, the scripts in the attack can undergo several iterations since the security software is dependent on the static file signatures. These would pave way for the creation of various script files that are uniquely written.
This article is owned by Tech Times
Written by Joseph Henry