Iran-Linked ‘Newbie’ Hackers Spread Dharma Ransomware Via RDP Ports

CyberPanther

Level 6
Thread author
Verified
Well-known
Oct 1, 2019
295
The recent Dharma campaign by Iran-linked script kiddies shows that the ransomware is being spread not just by sophisticated, state-sponsored actors anymore.
A group of ‘script kiddies’ tied to Iran are targeting companies worldwide with internet-facing Remote Desktop Protocol (RDP) ports and weak credentials in order to infect them with Dharma ransomware.
The Dharma malware (also known as Crysis) has been distributed as a ransomware-as-a-service (RaaS) model since at least 2016. While the ransomware was previously used by advance persistent threat (APT) actors, its source code surfaced in March 2020, making it available to a wider breadth of attackers. That is the case with this latest Iran-linked threat group, which researchers say is unsophisticated and has been targeting companies across Russia, Japan, China and India with the ransomware since June.
“The fact Dharma source code has been made widely available led to the increase in the number of operators deploying it,” Oleg Skulkin, senior digital forensics specialist with Group-IB, said in an analysis of the attacks posted Monday. “It’s surprising that Dharma landed in the hands of Iranian script kiddies who used it for financial gain, as Iran has traditionally been a land of state-sponsored attackers engaged in espionage and sabotage. Despite that these cybercriminals use quite common tactics, techniques and procedures they have been quite effective.”

 

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top