New Ransomware, DarkRadiation

Security researchers have identified a new strain of ransomware by the name of “DarkRadiation”. The ransomware is implemented in Bash and targets Linux and Docker cloud containers while simultaneously banking on the Telegram app for command-and-control (C2) communications.

Researchers also explained the malware uses OpenSSL’s AES algorithm with CBC mode to encrypt files in different directories. Using the Telegram app, it can send the infection status back to the threat actors.

Currently, there isn’t much information regarding the delivery methods or real-world usages. After analysis on a plethora of hacking tools on an unidentified threat actors infrastructure in a directory titled “api_attack.”

DarkRadiation’s infection chain is a multi-step process that relies heavily on Bash scripts to retrieve malware and encrypt files in tandem with the Telegram API to communicate the C2 server with hardcoded API keys.

Suspected to be under current development, the strain leverages obfuscation methods to scramble scripts using an open-source tool called “node-bash-obfuscate” to divide the code into separate portions.

When executing, DarkRadiation attempts. To run as the root user using elevated permissions to download Wget, cURL, and OpenSSL libraries. The ransomware takes a snapshot of the users currently logged into the system using “who” commands every five seconds and communicating the information back to the server via the Telegram API. If it cannot find the libraries, it will attempt to obtain the tools through YUM (Yellowdog Updater, Modified), which is a popular python-based package manager in Linux.

In the final stages of DarkRadiation infection, it retrieves a list of all users on the compromised system, overwrites any existing passwords with “megapassword,” and deletes all shell users. Although, before they are deleted, it creates a new username “ferrum” and the password “MegPw0rD3” to continue the encryption.

Other researchers have proven the DarkRadiation ransomware is undergoing development with different variations as some versions show the “ferrum” username being downloaded from the C2 server, while others have strings with “$MeGaPass123#” attached. This proves the malware is being edited and adapted prior to full deployment.

Encrypted files will have a radioactive symbol, “.☢”, as an extension. DarkRadiation also prepares an SSH worm engineered to collect credential configuration of a base64-encoded parameter which connects the target system using the SSH protocol and then proceeds to download and execute DarkRadiation.

DarkRadiation reports execution status and encryption keys back to the threat actors via their Telegram API, but it also has the ability to end and disable any running Docker containers on the infected machines after a ransom note is displayed.

SpearTip’s certified engineers are actively tracking this new strain. Our ShadowSpear® platform can defend against strains such as these by stopping the ransomware from executing on machines. Collected log files through our SIEM in ShadowSpear® would show our Security Operations Center the logins and our engineers would be able to respond to the intrusion attempts instantly.

In the everchanging threat landscape, it’s vital our team stays in tune with the latest developments in ransomware and malware in general so we can properly protect our clients.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.