Wormable bash DarkRadiation Ransomware targets Linux distros and docker containers

DarkRadiation is a new strain of ransomware implemented in Bash that targets Linux and Docker cloud containers and leverages Telegram for C2.

Trend Micro researchers spotted a new strain of ransomware, dubbed DarkRadiation, which is writted in Bash script and target Linux distributions (Red Hat/CentOS and Debian) and Docker cloud containers.

The ransomware uses OpenSSL’s AES algorithm with CBC mode to encrypt files and leverages Telegram’s API for C2 communications. The ransomware appends radioactive symbols (“☢”) to the filenames of encrypted files. 

Experts noticed that most components of the attack chain have low detection rates in Virus Total, a user that goes online with the Twitter handler @r3dbU7z first reported the hack tools URL with the ransomware information.

The user first reported the existence of a malware command and control server at the IP address 185[.]141[.]25[.]168 and the availability of a collection of hacking tools in a directory named “api_attack.”

“Among all these tools, the content of “api_attack/” grabbed our attention. The “api_attack” directory contains the various versions of the Bash ransomware that we named DarkRadiation, as well as the SSH worm that is responsible for spreading this ransomware. The “Supermicro_cr_third” script in this directory seems to be the most complete version of the ransomware.” reads the analysis published by Trend Micro. “This script is obfuscated with an open-source tool called “node-bash-obfuscate”, which is a Node.js CLI tool and library to obfuscate bash scripts.”

Upon execution, DarkRadiation ransomware first checks if it is run as root, then if it has these permissions, it checks if Wget, cURL, and OpenSSL are installed; if they are not, the malware then downloads and installs them.

SentinelOne researchers reported that if any of the above tools are not available, the malicious code malware attempts to download the required tools using a python-based package manager, YUM (Yellowdog Updater, Modified), widely adopted by popular Linux distros such as RedHat and CentOS.

“The DarkRadiation scripts have a number of dependencies including wget, curl, sshpass, pssh and openssl. If any of these are not available on the infected device, the malware attempts to download the required tools using YUM (Yellowdog Updater, Modified), a python-based package manager widely adopted by popular Linux distros such as RedHat and CentOS.” reads the report published by SentinelOne.

One of the functions used by the malware, the bot_who function, is a bash script that allows operators to take a snapshot of the users that are currently logged into a Unix computer system using the “who” command. It stores the result in a hidden file called (“/tmp/.ccw”). The script executes the “who” command every five seconds and checks the output “.ccw” file. If a new user logging in, the malware sends a message to the attacker via Telegram’s API.

Before encrypting files, the ransomware retrieves a list of all available users on an infected system by querying the “/etc/shadow” file. Then it overwrites all existing user passwords with “megapassword” and deletes all existing users. Next, the malware creates a new user from its configuration section with username “ferrum” and password “MegPw0rD3” and executes the “usermod –shell /bin/nologin” command to disable all existing shell users on an infected system.

The researchers reported that the malware is also able to stop and disable all running Docker containers on an infected system and creates a ransom note.

The report includes Indicators of Compromise (IOCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]