Dharma abusing ESET AV installer to distract victim's attention

Dharma ransomware discovered abusing anti-virus installer to hide file encryption process

Dharma is found abusing antivirus installation fileBy using the installation of legitimate security software, Dharma ransomware runs data encryption in the background

The developers of an infamous Dharma ransomware have found another secret way to launch their beloved ransomware activity on the victim's computer without being noticed. This time the criminals are using antivirus software installation file, named as Defender_nt32_enu.exe, to hide all malicious ongoing processes on their infected system. Trend Micro was the first to discover some samples of this new method being used.[1]

The technique is based on the same strategy used by any other ransomware versions: hackers infiltrate the target system via the malicious email message filled with the infected link.[2] At this stage, their main goal is to convince users to download a particular file that is included in the downloading link. What is new here is that the target users are urged to enter the www.microsoft.com password which is given in the suspicious email message. This step hasn't been used by other ransomware viruses yet.

The ransomware-related payload is hidden in defender.exe file

The suspicious email message contains the following text:

Your Windows is temporarily at risk ! 
Our system has detected several unusual data from your Pc. 
It's corrupted by the DISPLAY SYSTEM 37.2%.
All of your information is at risk , this can damage the system files, data,
applications, or even cause data leaks etc.
Please update and verify your antivirus down below :
Password: www.microsoft.com

The given file is named Defender.exe which is supposed to protect the system from the potential risk. However, its real aim is to execute the ransomware-related payload which comes in taskhost.exe. To hide the encryption process, hackers also drop an older version of ESET AV Remover antivirus tool. According to security experts from Trend Micro, the taskshot.exe executable is directly connected to Dharma and is detected as RANSOM.WIN32.DHARMA.THDAAAI.[3]

ESET AV Remover antivirus is used only to distract people

ESET AV Remover installation is a fresh way used by hackers to distract the victims from the true harmful process that is performed in the background. While users pay all of their attention only to the potential risk that was noticed by Microsoft, Dharma ransomware runs the encryption and starts locking up all documents and files found on the machine.

Talking about the ESET AV Remover, even if its installation fails or is not performed for some reason, Dharma still succeeds in data encryption as these two programs operate separately. The antivirus tool is completely legitimate and this is the main reason why computer users might not think anything suspicious at first.

Even though the ESET AV Remover is a fully legitimate, this time the software is only a bundle of ransomware and we urge all people to be accurate and pay attention to all programs that they did not request to download but still run on their computer systems as malicious activities might be hidden behind them.

Precautionary measures to prevent ransomware infections

As security experts, we highly recommend taking a look at your computer protection and think if the security software you have on your computer is enough. Make sure you have a reputable antivirus tool running on your machine which is up-to-date.

Additionally, be cautious while opening emails and other messages from the people you don't know. If the message was sent straight to the spam section, we recommend deleting it and not even considering opening. Furthermore, if the email includes an attached executable or another type of document/file, make sure to scan the component with an antivirus before downloading it.[4]

One more tip: take care of all the important files that are stored on your computer. Copies of valuable data should be safely kept in remote drives such as USB Flash devices or on remote servers such as iCloud[5] or Dropbox.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions