Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Comodo Cyber Security team reveals the inner-workings of the latest strain of this persistent threat
The Comodo Cyber Security team constantly researches the latest ransomware to help better protect our users and to share our findings with the wider netsec and antivirus communities. Today we’d like to tell you about a newer version of the ransomware called Dharma version 2.0.
The malware first appeared in 2016 under the name CrySIS. It targeted Windows systems and encrypts victim’s files with strong AES-256 and RSA-1024 algorithms, before demanding a ransom in Bitcoins. As with virtually all strains of ransomware, the files are completely unrecoverable without the decryption key, and the victim must pay the ransom to get the key.
The Dharma trojan is delivered by brute-forcing weak passwords on RDP connections, or by getting the victim to open a malicious email attachment. The first method involves the attacker scanning port 3389 for connections that use the RDP protocol. Once a target is found, the attacker tries to login to the connection by automatically trying different passwords from a huge library of known passwords, until one of them works. From there, the attacker has complete control over the target machine and runs the Dharma ransomware manually on the user’s files.
The latter method is a classic email attack. The victim receives an email that looks as though it comes from their real-life antivirus provider. It contains a warning about malware on their machine and instructs them to install the attached antivirus file to remove the threat. Of course, the attachment isn’t an antivirus program, it’s Dharma 2.0, which then proceeds to encrypt the user’s files and demand a ransom to unlock them.
In February 2020, the Comodo Cyber Security team discovered the latest evolution of this malware, Dharma 2.0. This version contains the core encrypt-then-ransom functionality of previous versions, but also contains an additional backdoor which grants remote admin capabilities. Let’s take a close look at the details of Dharma 2.0, with the help of the Comodo Cyber Security team.
The execution tree of the malware is shown in the screenshot below, with ‘Wadhrama 2.0.exe’ at the head of the list:
The malware uses the DOS device mode utility to gather some information about the victim’s keyboard and deletes any shadow copies of their files. The command ‘vssadmin delete shadows /all /quiet’ is commonly used in ransomware to delete existing Windows restore points, robbing the user of a backup of their files:
With the shadow copies gone, users cannot restore their files unless they have an external, 3rd party backup in place. Many businesses have such backups in place, but an alarming number do not.
After encrypting all files on the computer, the attacker now needs a way to communicate their instructions to the victim. It does this by using ‘mshta.exe’ to open ‘Info.hta’ as an auto-run with the command
‘C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\Info.hta’.
‘Info.hta’ is the file which contains the ransom note:
“All your files have been encrypted!”
Wadhrama 2.0.exe creates two sql files, ‘about.db’ and ‘about.db-journal’ in <%users\administrator\appdata\local\temp%>. It creates a copy of itself in <%system32%> , <%startup%>, and adds the extension ‘[bitlocker@foxmail.com ].wiki’ to the end of all encrypted files:
c:\users\administrator\appdata\local\temp\about.dbc:\users\administrator\appdata\local\temp\about.db-journalc:\windows\system32\Wadhrama 2.0.exec:\users\administrator\appdata\roaming\microsoft\windows\start menu\programs\startup\Wadhrama 2.0.exec:\programdata\microsoft\windows\start menu\programs\startup\Wadhrama 2.0.exec:\$recycle.bin\s-1-5-21-2565079894-3367861067-2626173844-500\desktop.ini.id-5A3EBE7D.[bitlocker@foxmail.com ].wikic:\boot\bootstat.dat.id-5A3EBE7D.[bitlocker@foxmail.com ].wikic:\bootsect.bak.id-5A3EBE7D.[bitlocker@foxmail.com ].wikic:\msocache\all users\{90120000-0012-0000-0000-0000000ff1ce}-c\office64ww.xml.id-5A3EBE7D.[bitlocker@foxmail.com ].wikic:\config.sys.id-5A3EBE7D.[bitlocker@foxmail.com ].wikic:\msocache\all users\{90120000-0012-0000-0000-0000000ff1ce}-c\setup.xml.id-5A3EBE7D.[bitlocker@foxmail.com ].wikic:\autoexec.bat.id-5A3EBE7D.[bitlocker@foxmail.com ].wikic:\$recycle.bin\s-1-5-21-2565079894-3367861067-2626173844-500\$r1vq4s7.exe.id-5A3EBE7D.[bitlocker@foxmail.com ].wikic:\$recycle.bin\s-1-5-21-2565079894-3367861067-2626173844-500\$i1vq4s7.exe.id-5A3EBE7D.[bitlocker@foxmail.com ].wiki
The cybersecurity team tested the encryption complexity of Dharma 2.0 by creating three identical, 5 line text files with the following content:
We named the three files as ‘autorun.inf’, ‘boot.sdi’ and ‘bootsect.exe’ and moved each to a different location. Because the files are all the same type, size, and have the same content, they all share the same SHA1 signature – 9ea0e7343beea0d319bc03e27feb6029dde0bd96.
This is a screenshot of the files before encryption by Dharma:
After encryption, each has a different file size and signature:
tables – ‘setting’ and ‘keymap’. The databases allow remote admin commands such as /eject/eject<disk>, /runas/runas<application>, /syserr/syserr<error code>, /url/url<link>,
/runscreensaver/runscreensaverd, /shutdisplay/shutdisplayd, /edithost/edithostsd,
/restart/restard, /shutdown/shutdownd/logoff/logoffd, /lock/lockd,/quit/quitd,/config/configd
/about/aboutd.
• Dharma 2.0 creates two mutex objects called ‘Global\\syncronize_261OR3A’ and ‘Global\\syncronize_261OR3U’. Mutex objects limit the amount of a processes that can access a specific piece of data. This effectively locks the data from other processes so the encryption can go ahead uninterrupted.
• Dharma 2.0 searches for the following file extensions to encrypt:◦ Personal document file formats: ‘doc(.doc;.docx,.pdf;.xls;.xlss;.ppt;)’◦ Archive files format: ‘arc(.zip;.rar;.bz2;.7z;)’◦ Database files format: ‘dbf(.dbf;)’◦ SafeDis encryption file format: ‘1c8(.1cd;)’◦ Image file format: ‘jpg(.jpg;)’
• It also searches out well-known database, mail and server software:
◦‘1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;’
◦‘FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;Sqlserveradhelper;’
• Dhama 2.0 copies itself into three different locations◦ ‘%appdata%’◦ ‘%windir%\\system32’◦ ’%sh(Startup)%’• It creates a pipe, ‘%comspec%’, with the command ‘C:\\windows\\system32\\cmd.exe’:• It collects details about boot files such as ‘boot.ini’, ‘bootfont.bin’, and others:• The ransom note text is saved in a file called ‘FILES ENCRYPTED.txt’:• ‘Info.hta’ to displays the ransom message to the victim:• The encryption extension is drawn from the buffer ‘.[bitlocker@foxmail.com]’• Dharma then creates an encrypted version of the original file with the new extension:• It subsequently deletes the original file and repeats the loop until every drive and file has been encrypted. The final, encrypted, files look as follows:• This is the ransom message shown to the victim when they next boot their computer:
Related Resource
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
agreecheck
See how your organization scores against cybersecurity threats
Advanced Endpoint Protection, Endpoint Detection and Response Built On Zero Trust Architecture available on our SaaS EPP