DarkRadiation is a new ransomware that targets Linux and Docker cloud containers. Coded in Bash, the ransomware targets specifically Red Hat/CentOS and Debian Linux distributions, according to Trend Micro’s research.
For its encryption process, DarkRadiation ransomware uses OpenSSL’s AES algorithm and CBC mode. The malware also uses Telegram’s API to send an infection status to its operators, Trend Micro says. However, researchers still haven’t figured out the way the ransomware has been used in actual attacks. As for the findings the researchers shared in their analysis, they come from a collection of hacking tools hosted on an unidentified hacker infrastructure with a specific IP address. The directory itself is called “api_attack”.
DarkRadiation Ransomware: What Is Known So Far?
In terms of infection, the ransomware is programmed to carry out a multi-stage attack, while relying on multiple Bash scripts to retrieve the payload and encrypt the data on an infected system. It also uses Telegram’s API to communicate with the command-and-control server using hardcoded API keys.
Before the encryption process, the ransomware retrieves a list of all available users on an infected system by querying the “/etc/shadow” file. It overwrites all existing user passwords with “megapassword” and deletes all existing users except “ferrum.” After that, the malware creates a new user from its configuration section with username “ferrum” and password “MegPw0rD3”. It executes “usermod –shell /bin/nologin” command to disable all existing shell users on an infected system, the report notes.
It is noteworthy that some of the ransomware variants Trend Micro found try to delete all existing users except username “ferrum” and “root”. The malware also checks whether 0.txt exists in the command-and-control server. In case it doesn’t exist, it will not execute the encryption process and will sleep for 60 seconds; then it attempts the process again.
DarkRadiation uses OpenSSL’s AES algorithm in CBC mode for its encryption, and it receives its encryption password via a command-line argument passed by a worm script. The ransomware also halts and disables all running Docker containers on the infected host, and creates a ransom note.
Whoever is behind this new ransomware uses “a variety of hacking tools to move laterally on victims’ networks to deploy ransomware,” Trend Micro says in conclusion. The hacking tools contain various reconnaissance and spreader scripts, specific exploits for Red Hat and CentOS, and binary injectors, among others. It is noteworthy that most of these tools are barely detected in Virus Total. In addition, some of the scripts are still in development.
Facefish is another recently discovered Linux malware
In May 2021, security researchers detected a new Linux malware capable of stealing information from the system, such as user credentials and device details, and executing arbitrary commands. The malware was discovered by Qihoo 360 NETLAB security researchers who named its dropper Facefish. The malware was characterized as a backdoor for the Linux platform.