A new variant of Dharma ransomware has been found that uses a new technique to hide its malicious activities. It is masquerading as an ESET AV Remover Installer to trick users into downloading it.
How does it propagate?
The new variant is distributed via the old-school spam email technique. The email comes attached with a password-protected self-extracting archive named ‘Defender.exe’. If the users click on the download link, they are prompted for a password that is provided in the message.
Once the file is unlocked, the archive drops the malicious file ‘taskhost.exe’ as well as the installer of an old version of ESET AV remover renamed as ‘Defender_nt32_enu.exe. Trend Micro researchers have identified the new version of Dharma ransomware as RANSOM.WIN32.DHARMA.THDAAAI.
What happens after the installation?
Once the Dharma ransomware variant is installed, it starts encrypting files in the background and the ESET AV Remover Installation begins. The victim will see the ESET GUI screen, a distraction from Dharma’s malicious activities.
ESET has been informed about the issue. In return, the firm has explained that the AV Remover Installer is executed only after a user’s interaction. Hence, users should be cautious while downloading such AV software.