Analyzing Dharma Ransomware-as-a-Service

What’s up with Dharma?

• First identified in 2016, Dharma today has several variants because of the sale and alteration of its source code by numerous malware developers. Furthermore, it has become the core of the cybercriminal environment due to its availability.
• Dharma RaaS suppliers provide the technical expertise required to handle the back-end operations that support ransomware attacks. Their affiliates—entry-level cybercriminals—compromise a target by executing PowerShell script, which initiates the attack with a message, “Have fun, bro!”

Tools of the trade

• According to Sophos, threat actors leveraging Dharma RaaS are equipped with pre-built scripts and grey hat tools that require less skill to operate. This pre-packaged toolkit, fused with backend technical support, broadens Dharma RaaS operators’ reach, making them profitable while their affiliates carry out hands-on-keyboard functions for breaching networks.
• In Dharma operations, a combination of licensed third-party freeware software, publicly-available exploits, internal Windows tools, and commonly-used security tools, integrated together via bespoke AutoIT, PowerShell, and batch scripts.
• Most Dharma operators don’t modify the source code. However, they combine best practices and several tools—not fully automated—for their affiliates to leverage once they enter a victim’s network.

There’s more

• While the affiliates pay for RaaS and execute targeted attacks themselves by utilizing a standard toolkit, other threat actors offer stolen credentials and tools on underground forums that enable RDP attacks. As per a Coveware report, Remote Desktop Protocol (RDP) attacks are the predominant cause of about 85 percent of Dharma attacks.
• After obtaining an RDP connection, the hackers draw a directory on their local drive, which is accessible from the remote desktop. The components of the directory comprising RaaS toolkit include several unwanted applications, customized hacking tools, and different freeware system utilities.

Out in the open

• Dharma recently caught the attention of security experts when Iranian newbie hackers attempted to encrypt the networks of target companies located in Russia, China, Japan, and India with a version of the Dharma ransomware. Reportedly, the group leveraged publicly-available hacking tools downloaded from Telegram hacking channels or GitHub.
• Earlier this year in February, threat actors distributed the Dharma Ransomware in a spam campaign targeting Windows users in Italy. The spam emails in the campaign used subjects like “Fattura n. 637 del 14.01.20,” pretending to be sent invoices.

Final word