In a recently published analysis by Sophos Labs, researchers have uncovered and detailed the tools typically deployed by affiliates of the Dharma Ransomware-as-a-Service (RaaS) model. This toolkit, which is mapped to a local network drive by an attacker, consists of several commonly used tools (including Mimikatz and webbrowserpassview), customized PowerShell tools, along with stagers for the Dharma ransomware executable. All of these tools are controlled by a menu-driven PowerShell console script known as toolbelt.ps1.
While Sophos was unable to recover some of the customized hacking tools, their analysis details the functionalities of toolbelt.ps1, and the activities that can be expected from it. Binary Defense threat researchers were able to find an interesting dropper for 2sys.ps1, which consisted of a batch script that dropped several individual base64 encoded files masquerading as certificates. By using the Windows system utility certutil to decode and assemble the fake base64 certificates, the Dharma attackers are attempting to evade SOC analysts looking at incoming Intrusion Detection System (IDS) alarms.