Iranian actors leveraged the Distant Desktop Protocol (RDP) as a part of a world marketing campaign to focus on corporations with Dharma ransomware.

Group-IB uncovered the marketing campaign whereas conducting an incident response engagement for a Russian firm in June 2020.

As a part of its investigation, the digital safety options supplier’s digital forensics group discovered artifacts indicating {that a} group of inexperienced Persian-speaking actors had been chargeable for an try to distribute Dharma on the affected firm’s community.

The group first gained a foothold within the firm after abusing its Web-facing RDP together with weak credentials.

As soon as contained in the community, it exercised its means to select from a number of instruments for the aim of transferring all through the compromised community. These options included Your Uninstaller. Obtainable on an Iranian software program sharing web site, this instrument enabled the actors to disable anti-virus options.

The actors additionally had the choice of downloading further instruments from Persian-speaking Telegram channels.

At that time, the attackers used Superior Port Scanner to map the compromised community for out there hosts. It’s then that they moved laterally by abusing RDP.

On every host to which they moved, the actors dropped Dharma ransomware and demanded a ransom of 1-5 BTC.

Dharma ransomware notice (Supply: Bleeping Laptop)

Group-IB discovered that the forensic artifacts of the assault had been current on different corporations’ networks in Russia, Japan, China and India. Every of these networks contained hosts with Web-facing RDP and weak credentials.

The safety agency defined that it wasn’t anticipating to watch using Dharma amongst actors who’re “far behind the extent of sophistication of huge league Iranian APTs.” As quoted from its analysis:

It’s stunning that Dharma landed within the arms of Iranian script kiddies who used it for monetary achieve, as Iran has historically been a land of state-sponsored attackers engaged in espionage and sabotage. Regardless of that these cybercriminals use fairly frequent ways, strategies and procedures they’ve been fairly efficient.

Acknowledging that truth, Group-IB advisable that organizations change the default port used for RDP connections, implement account lockout insurance policies and avail themselves of risk intelligence feeds.

This information comes greater than a 12 months after researchers uncovered a brand new pressure of ransomware often called “Phobos” that was utilizing the identical ransom notice employed by Dharma to demand cost from its victims.