A recently discovered Bash ransomware piqued our interest in multiple ways. Upon investigating, Trend Micro found that the attack chain is fully implemented as a bash script, but it also seems that the scripts are still under development. Most components of this attack mainly target Red Hat and CentOS Linux distributions; however, in some scripts Debian-based Linux distributions are included as well. The worm and ransomware scripts also use the API of the messaging application Telegram for command-and-control (C&C) communication. Trend Micro also found that most components of this attack have very low detection numbers in Virus Total. The hack tools URL with the ransomware information was initially reported by Twitter user @r3dbU7z.
MALWARE FAMILIES:
DarkRadiation, libprocesshider
ATT&CK IDS:
T1027 – Obfuscated Files or Information, T1014 – Rootkit, T1490 – Inhibit System Recovery, T1030 – Data Transfer Size Limits, T1110 – Brute Force, T1136.001 – Local Account, T1003.008 – /etc/passwd and /etc/shadow, T1059 – Command and Scripting Interpreter, T1573 – Encrypted Channel
