A new ransomware attack has been spotted by cybersecurity analysts in Docker and Linux cloud containers. The strain known as “DarkRadiation” has also been seen on the popular Telegram chat app.
DarkRadiation Ransomware infects multiple outlets
(Photo: Azamat E from Unsplash)
The target of DarkRadiation Ransomware includes Linux and Docket containers.
According to last week’s report from Micro Trend, researchers found that the Debian Linux and CentOS / Red Hat channels were the targets of this malware. They are published in Bash script.
In the file encryption, the AES algorithm of OpenSSL, as well as the CBC mode were used. In Telegram, a messaging app, the infection spread to its API.
May 28, @ r2dbU7z, which typically posts information about malware attacks and computer systems on Twitter, spotted the attack toolkit. Additionally, there was an “api_attack” directory that was unveiled which would be the threat actor’s infrastructure.
It is important to know the extent of the ransomware attack. In the case of DarkRadiation, multi-step penetration has been observed on Bash scripts. The stored files would be stored and then encrypted through the API keys hard-coded in the Telegram API.
Currently, ransomware is also known to divide codes into sections and then assign a particular identity to the variable for each segment. It would now modify the original script with the references of the previous variables. This is made possible by “node-bash-obfuscate”, an open source tool.
When the software is run, DarkRadation performs a quick assessment to see if the system is controlled by a root user. If so, this would enable installation of the OpenSSL libraries, as well as cURL and Wget. The common culprit in the Unix system will enter the server with the “who” command which is activated every five seconds.
Also read: Should the release of ransomware decryptors be revealed to the public? The Bitdefender Labs team has an important announcement
DarkRadiation tries to download tools using Python based package manager
News from hackers reported On Tuesday June 22, Yellowdog Updater, Modified or YUM, the ransomware would try to download the tools required to start the spread of the infection. Among the systems that use the Package Manager, Linux and RedHat distributions would be easy targets.
There is a recovery of the compromised system list during the descending phase of the attack. Your information would be overwritten and they would remember a specific “megapassword” password. In the process, all shell users would be exterminated and the username “ferrum” would emerge with the password “MegPw0rD3” before encryption began.
All running Docker containers would also shut down once DarkRadiation started infecting them. At that time, the ransom note would now appear next to the user’s screen.
According to SentinelOne researchers, the attack scripts can undergo multiple iterations because the security software relies on static file signatures. These would pave the way for the creation of various uniquely written script files.
Associated article: the REvil Hacking Group ransomware attack on US nuclear weapons contractor Sol Oriens; Invenergy data breach
This article is the property of Tech Times
Written by Joseph Henry
2021 TECHTIMES.com All rights reserved. Do not reproduce without permission.