Security researchers JAMESWT, TG soft and reecdeep have found new malicious spam (malspam) email campaign delivering ransomware that is currently targeting Italian Windows users. The Dharma ransomware is a variant of another ransomware family called Crysis. Dharma has been active for several years, but the new development is that it is distributed through malspam emails instead of the traditional delivery method using hacked remote desktop services. This malspam campaign has also delivered the Ursnif keylogger. They are delivered through emails that claim to be an invoice from a third-party company and contain a link to a ZIP file hosted on Microsoft OneDrive (onedrive.live.com). The ZIP file contains a JPEG image file and a Visual Basic Script (VBS) file. If the recipient double-clicks the VBS file to run it, the script attempts to download data from one of several malicious websites listed in the IOC section below. If the download is successful, the malware will be installed.
Indications of Compromise (IOCs):
- radiantdates[.]com/fwtbtut?awla=35193
- theinvestmentinvestigator[.]com/gwepcq?ffkod=25310
- naughtygig[.]com/kferph?fumge=142150
- mengather[.]com/pagkit56.php
Analyst Notes
As of the time of this article, there is no way to decrypt files that have been attacked by Dharma ransomware. However, there are ways to defend against this malware and similar threats. One strategy is to employ a “zero-trust” policy. This would entail verifying the authenticity of the file before downloading any attachments or linked files, regardless of the sender. It is also possible to use Group Policy on a Windows domain to set the default program used when double-clicking any script file to open in Notepad, which prevents end-users from accidentally running scripts. This setting still allows administrators to run scripts on the command line, using the script file name as a command-line argument. Another strong defense is to employ a dedicated endpoint detection and response service that can detect unusual behaviors, including VBS files that perform dangerous actions, or programs that behave like ransomware, and quickly stop those actions before they cause harm across many computers. The Binary Defense Security Operations Center monitors endpoints 24-hours a day to defend companies from attacks.
To read more; https://www.bleepingcomputer.com/news/security/dharma-ransomware-attacks-italy-in-new-spam-campaign/
