Security News > 2020 > August > Iran-Linked ‘Newbie’ Hackers Spread Dharma Ransomware Via RDP Ports

Iran-Linked ‘Newbie’ Hackers Spread Dharma Ransomware Via RDP Ports
2020-08-24 15:23

While the ransomware was previously used by advance persistent threat actors, its source code surfaced in March 2020, making it available to a wider breadth of attackers.

"The fact Dharma source code has been made widely available led to the increase in the number of operators deploying it," Oleg Skulkin, senior digital forensics specialist with Group-IB, said in an analysis of the attacks posted Monday.

The attackers in this campaign first would scan ranges of IPs for hosts that contained these vulnerable RDP ports and weak credentials, researchers said.

Once vulnerable hosts were identified, the attackers deployed a well-known RDP brute force application called NLBrute, which has been sold on forums for years.

Attackers would then move laterally across the network and deploy the Dharma variant executable, encrypt data, and leave a ransom note for the victim.


News URL

https://threatpost.com/iran-linked-newbie-hackers-spread-dharma-ransomware-via-rdp-ports/158580/