A group of script kiddies tied to Iran have been linked to the recent Dharma campaign. These “newbie” hackers are targeting companies internationally with internet-facing Remote Desktop Protocol (RDP) ports and weak credentials. This being done in order to infect their targets with Dharma ransomware.
The Dharma malware, or Crysis, has been distributed as a “ransomware-as-a-service” (RaaS) model since at least 2016. Previously, this ransomware was used by advanced persistent threat (APT) actors. However, its source code appeared in March 2020, making it available to a host of other attackers. Researchers note that is the case with this Iranian-linked threat group. They say this unsophisticated hacker group has been targeting companies across Russia, Japan, China, and India with the ransomware since June.
This group of Iranian script kiddies has used Dharma for financial gain. This being unusual as Iran has largely been known for state-sponsored attackers that engage in espionage and sabotage.
Our Cyber Incident Response Team provides an elite response for your organization after a Ransomware or Cyber Extortion Incident. LIFARS executes Bitcoin payments and establishes cyber secure perimeter guided with proper regulatory and legal oversight. Ransomware Response and Cyber Extortion containment is our expertise.
Unsophisticated Threat Actors
These threat actors are unsophisticated as they are seen to use publicly available tools to obtain initial access and move throughout the network. This is the opposite of using custom malware or post-exploitation frameworks.
These attackers were found to use Persian language for Google searches on compromised servers and download tools from Iran-linked Telegram groups. Additionally, they attempted to brute-force an Iranian video streaming service accounts.
Using scanning software Masscan, they scanned ranges of IPs for hosts that contained vulnerable RDP ports and weak credentials.
Once vulnerable hosts were identified by the attackers, NLBrute, an RDP brute force application was deployed. This tool allowed them to brute-force their way into the system and check the validity of obtained credentials on other accessible hosts in the network.
In some attacks, this group elevated privileges using an exploit for an elevation of privilege flaw. The medium-severity flaw (CVE-2017-0213) affects Windows systems. This flaw can be exploited when an attacker runs a specifically crafted application.
Researchers indicate that these threat actors likely didn’t have a clear plan on what to do with the compromised networks. This shows their lack of sophistication. In some attacks, the attackers would download various publicly available tools to spy or laterally move across the network.
These threat actors used publicly available tool Advanced Port Scanner, to scan for accessible hosts in the compromised network. Other tools downloaded by the attackers were from Farsi-language Telegram channels.
Defender Control and Your Installer were used by the attackers to disable built-in antivirus software. It was downloaded from an Iranian software sharing website. The Google search query was in the Persian language, which was discovered in the Chrome artifacts.
After this, attackers would move laterally through the network. They would deploy the Dharma variant executable, encrypt data, and leave the victim a ransom note. These hackers typically demanded a ransom between 1 to 5 BTC (worth between $12,000 to $59,000).
An exact number of victims in this campaign is not known. The discovered forensic artifacts revealed that these threat actors are substantially less sophisticated than big league Iranian APTs.
This newly discovered Iranian hacker group gives rise to a new notion. Not only does Iran “support” state-sponsored APT groups, it also accommodates financially motivated cyber-criminals too.
This change may be linked to the pandemic exposing a number of vulnerable hosts. This would include employees working remotely that have become popular targets for cyber-criminals.
These attackers usually need several attempts to brute force passwords and gain access to the RDP. Therefore, it’s important to enable lockout policies by limiting the number of failed log-in attempts per user.