• Hackers target companies in Russia, Japan, China and India.
• Attackers use Dharma ransomware and a mix of publicly available tools.
• Dharma has been distributed under a ransomware-as-a-service (RaaS) model at least since 2016.
• Operators scanned ranges of IPs for hosts with Internet-facing RDP and weak credentials.

Dubai: Cyber-security firm Group-IB has detected financially-motivated attacks carried out by Iranian newbie threat actors in June, targeting companies in Russia, Japan, China and India.

The attackers used Dharma ransomware and a mix of publicly available tools and all the affected organisations had hosts with internet-facing RDP and weak credentials.

Iran has traditionally been a land of state-sponsored attackers engaged in espionage and sabotage.

Group-IB researchers said the hackers typically demanded a ransom between 1-5 bitcoin compared to bigger hackers who usually ask for hundreds of thousands or millions of US dollars.

“The newly discovered hacker group suggests that Iran, which has been known as a cradle of state-sponsored APT groups for years, now also accommodates financially motivated cybercriminals,” they said.

Dharma, also known as Crysis, has been distributed under a ransomware-as-a-service (RaaS) model at least since 2016. Its source code popped up for sale in March 2020 making it available to a wider audience.

During an incident response engagement for a company in Russia, Group-IB’s team established that Persian-speaking newbie hackers were behind a new wave of Dharma distribution.

“It’s surprising that Dharma landed in the hands of Iranian script kiddies who used it for financial gain. Despite that these cybercriminals use quite common tactics, techniques and procedures they have been quite effective. Therefore, we believe it’s important to provide some recommendations on how to protect against them and give a complete outline of the MITRE ATT&CK mapping,”  Oleg SkulkinOleg Skulkin, Senior Digital Forensics Specialist at Singapore-headquartered Group-IB, said.

Breaches via weak RDP endpoints

Even though the exact number of victims is unknown, the discovered forensic artifacts allowed to establish the geography of their campaigns and the toolset, which is far behind the level of sophistication of big league Iranian APTs.

It was revealed that the operators scanned ranges of IPs for hosts with Internet-facing RDP and weak credentials in Russia, Japan, China, and India.

To do so, they used popular software called Masscan — the same technique was employed by Fxmsp, an infamous seller of access to corporate networks.

Once vulnerable hosts were identified, the attackers deployed NLBrute to brute-force their way into the system and to check the validity of obtained credentials on other accessible hosts in the network. In some attacks, they attempted to elevate privileges using an exploit for CVE-2017-0213.

The researchers said the threat actors didn’t have a clear plan on what to do with the compromised networks.

Once they established the RDP connection, they decide on which tools to deploy to move laterally. For instance, to disable built-in antivirus software, the attackers used Defender Control and Your Uninstaller.

The latter was downloaded from Iranian software sharing website — the Google search query in Persian language “دانلود نرم افزار youre unistaller” was discovered in the Chrome artifacts. Other tools were downloaded by the attackers from Persian-language Telegram channels when they were already present in the network.

The Dharma source code has been made widely available and this led to the increase in the number of operators deploying it.