A new strain of ransomware called DarkRadiation targets Linux and Docker containers and uses messaging service Telegram to communicate with its C2 server.
“The ransomware is written in Bash script and targets Red Hat/CentOS and Debian Linux distributions,” researchers from Trend Micro said in a report published last week. “The malware uses OpenSSL’s AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram’s API to send an infection status to the threat actor(s).
There’s no information available about the methods or evidence that show that the ransomware has been used in actual attacks.
The malware came to light when a Twitter user @r3dbU7z first noticed a set of tools hosted on a threat actor’s infrastructure (IP address “220.127.116.11”) last month.
The DarkRadiation infection chain is a multi-stage attack that uses various Bash scripts to extract and encrypt files. It also uses the Telegram API to communicate with the C2 server via hardcoded API keys.
DarkRadiation is said to be under development, uses an open-source tool called node-bash-obfuscate to scramble the Bash code.
Upon execution, DarkRadiation checks if it is the root user of the system. It would then download and install Wget, cURL, and OpenSSL libraries. It takes a snapshot of the system’s users every five seconds, and then exfilts the results to an attacker-controlled server.
Alternatively, malware tries to install other tools packages, such as YUM:
“If any of these are not available on the infected device, the malware attempts to download the required tools using YUM (Yellowdog Updater, Modified), a python-based package manager widely adopted by popular Linux distros such as RedHat and CentOS,” SentinelOne researchers explained in a blog post about DarkRadiation on Monday.
The ransomware’s final phase includes retrieving all users, overwriting existing passwords, deleting all shell users, and creating a new user with a fitting username “ferrum.”
According to SentinelOne’s analysis, the password for the user “ferrum” can vary widely depending on the version of the malware, implying that the malware is undergoing rapid development.
“It must be noted that the ransomware appends radioactive symbols (‘.☢’) as a file extension for an encrypted file,” Trend Micro threat researcher Aliakbar Zahravi said.
In the second phase of the attack, SSH worm is deployed which received credentials in a base64-encoded form and eventually downloads and executes the ransomware.
“Malware written in shell script languages allows attackers to be more versatile and to avoid some common detection methods,” SentinelOne researchers said.
DarkRadiation can report the execution status on an infected system, along with its encryption key, and disable all running Docker containers on an infected machine, and display a ransom note.