Iranian actors used the Remote Desktop Protocol (RDP) as part of an international campaign to target companies with Dharma ransomware.
Group IB exposed the campaign when it carried out an incident response engagement for a Russian company in June 2020.
As part of their investigation, the digital forensics team at the digital security solutions provider found artifacts suggesting that a group of inexperienced Persian actors were responsible for attempting to spread Dharma across the affected company’s network.
The group first gained a foothold in the company after abusing their internet-based RDP along with weak credentials.
Once on the network, it used its ability to choose from multiple tools to navigate the compromised network. One of those solutions was your uninstaller. This tool, available on an Iranian software sharing website, allowed actors to disable antivirus solutions.
The actors also had the option of downloading additional tools from Persian-speaking Telegram channels.
At that time, the attackers used advanced port scanners to map the compromised network to available hosts. Then they moved sideways by abusing RDP.
On every host they switched to, the actors dropped the Dharma ransomware and asked for a ransom of 1-5 BTC.
Group-IB found that the forensic artifacts of the attack were present on other companies’ networks in Russia, Japan, China and India. Each of these networks contained hosts running RDP with Internet access and weak credentials.
The security firm said it did not expect to see the use of Dharma by actors “well below the level of the Iranian big league APTs”. Quoted from his research:
It is surprising that Dharma ended up in the hands of Iranian script children who used it for financial gain, as Iran has traditionally been a country of state sponsored attackers engaged in espionage and sabotage. Although these cyber criminals employ fairly common tactics, techniques, and procedures, they have been very effective.
With this in mind, Group-IB recommended that companies change the default port used for RDP connections, implement account lockout policies, and leverage threat intelligence feeds.
This news comes more than a year after researchers discovered a new strain of ransomware called “Phobos” that used the same ransom note used by Dharma to demand payments from its victims.