Rewterz Threat Alert –Dharma Ransomware – Active IOCs

Severity

High

Analysis Summary

Italian Windows users are being targeting by a spam campaign that is spreading the Dharma ransomware as the end payload. Researchers indicates the spam emails attempt to disguise themselves as invoice emails. In reality, the spam is being used to infect users with the Ursnif keylogger or the Dharma ransomware. The emails claim that the included URL is a link to invoice documents that need the reader’s approval. The URL references a OneDrive page where a file named “New documento 2.zip” is automatically downloaded as soon as the page is displayed. The zip file contains a Visual Basic script and an image file. Should the user execute the Visual Basic script, infection begins. BleepingComputer researchers observed that both Ursnif and Dharma were the final payloads, though not to the same victim.

Impact

• Data Encryption

Indicators of Compromise

MD5

• d3fca5655244e79e375d92f0b276ac0a
• 6b2df8014f1c359769e4e7f24daa55ae

SHA-256

• 02ace2e2867208faa78003cedb058e7b494c4007dc4b4265c885702119d7e85a
• bf8ef00107e1a788d8c24d36fcd23f3e1133a154e9246f0a541b3526314b6b7d

SHA-1

• 206088a7827736cf1d58686b1afac25638ce192f
• 6b30d20311f3d5d8a140ee224cb3660e381e5f7d

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.