Security News > 2021 > June > Wormable DarkRadiation Ransomware Targets Linux and Docker Instances

Wormable DarkRadiation Ransomware Targets Linux and Docker Instances
2021-06-24 20:05

Cybersecurity researchers have disclosed a new ransomware strain called "DarkRadiation" that's implemented entirely in Bash and targets Linux and Docker cloud containers, while banking on messaging service Telegram for command-and-control communications.

"The ransomware is written in Bash script and targets Red Hat/CentOS and Debian Linux distributions," researchers from Trend Micro said in a report published last week.

Said to be under active development, the ransomware leverages obfuscation tactics to scramble the Bash script using an open-source tool called "Node-bash-obfuscate" to split the code into multiple chunks, followed by assigning a variable name to each segment and replacing the original script with variable references.

Upon execution, DarkRadiation checks if it's run as the root user, and if so, uses the elevated permissions to download and install Wget, cURL, and OpenSSL libraries, and takes a periodic snapshot of the users that are currently logged into a Unix computer system using the "Who" command every five seconds, the results of which are then exfiltrated to an attacker-controlled server using the Telegram API. "If any of these are not available on the infected device, the malware attempts to download the required tools using YUM, a python-based package manager widely adopted by popular Linux distros such as RedHat and CentOS," SentinelOne researchers explained in a write-up published Monday.

A second moving part associated with the attack is an SSH worm that's engineered to receive a credential configuration in the form of a base64-encoded parameter that's used to connect to the target system using the SSH protocol and eventually download and execute the ransomware.

In addition to reporting the execution status, along with the encryption key, back to the adversary's Telegram channel through the API, DarkRadiation also comes with capabilities to stop and disable all running Docker containers on the infected machine, after which a ransom note is displayed to the user.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/mzof9nFh_AE/wormable-darkradiation-ransomware.html

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 11 64 2602 1595 67 4328
Docker 24 0 19 36 20 75