There’s a new ransomware strain called DarkRadiation that’s being implemented entirely in Bash.
It is known that DarkRadiation targets Docker and Linux cloud containers (Red Hat/CentOS and Debian Linux distributions). C2 communications to inform of infection status are being done through the messaging service Telegram’s API.
The malware uses OpenSSL’s AES algorithm with CBC mode to encrypt files.
Have there been real-world attacks using DarkRadiation?
So far it’s unknown if there’s direct evidence of real-world attacks. It’s been found only through the threat actor’s infrastructure – IP address 220.127.116.11 via an “api_attack” directory.
The infection chain has a multi-pronged attack that heavily relies on Bash scripts to retrieve the malware and encrypt files. Telegram’s API is used to communicate with the C2 server via API keys.
DarkRadiation’s Bash script uses an open-source tool known as node-bash-obfuscate to split up the code. The original script is replaced with variable references to obfuscate its origins.
DarkRadiation checks if it’s run as the root user upon execution. It then uses the elevated permissions to download and install various libraries (OpenSSL, Wget, cURL) and uses the “who” command at 5-second increments to find out who’s currently logged into a Unix computer system.
Using the Telegram API these results are then exfiltrated to an attacker-controlled server.
If unavailable, the ransomware will attempt to download the tools necessary to carry out the attack using Yellowdog Update, Modified (YUM). YUM is a python-based package manager that’s widely used by Linux distros such as CentOS and RedHat.
In the final phase of the infection, the malware will obtain a list of all users on the compromised system. It will then overwrite existing user passwords with “megapassword” and delete all shell users. For the encryption process, it will create a new user (username: “ferrum”, password: “MegPw0rD3”)
The password for the user “ferrum” is sometimes downloaded from the attack’s command-and-control server, but in others it’s hardcoded with strings using a combination of different symbols, letters, and numbers. This suggests that the ransomware is undergoing rapid changes before it’s deployed.
Encrypted files receive radioactive symbols (appears as .☢) for their extension.
An SSH worm is also used to obtain a credential configuration in the form of a base64-encoded parameter. This is used to connect the target system using the SSH protocol to eventually download and execute the malware.
DarkRadiation can also stop and disable all running Docker containers on the infected machine. A ransom note is then displayed to the user.
DarkRadiation is written in a shell script language, so this allows the attackers to avoid many of the common detection methods.
Scripts don’t have to be recompiled. Accordingly they can be more quickly iterated upon. Security software often relies on static file signatures. Rapid iteration and obfuscation tools can generate script files that are totally different.