It was discovered that adversaries found a way to abuse popular solutions in these regions. Researchers analyzed a new campaign that targeted the South American and European countries. In the spring of the year 2019, the infamous Astaroth trojan started to exploit antivirus solutions for hiding its activities and to download additional modules. The AV remover process is to trick the users. Even if the AV remover is not executed, the ransomware will still run.
The ransomware runs as a separate instance from the AV remover. Using the ESET GUI onscreen to distract the user, it processes encryption in the backend. Once the ESET AV Remover installation begins, the ransomware initiates the encryption process in the background. The ransomware uses the old ESET AV Remover installer that appears unmodified, based on the initial scanning for diverting attention as it encrypts files on victim’s device. This is a malicious file and is also the old version of the renamed ESET AV Remover Defender_nt32_enuexe. After the user inputs the password, the downloaded files are self-extracting archive named Defenderexe, which in turn drops taskhostexe. Once, the user clicks on the link, it prompts for a password that has been provided in the email. The ransomware that primarily targets storage device was distributed via spam emails that urges users to click on the links attached within the email. First found in 2016, the ransomware uses the AES-256 encryption. The following two cases provide an insight on how attackers are abusing anti-viruses.Ī new variant of Dharma ransomware masquerades as an ESET AV Remover Installer in order to trick users and hide its malicious activities. Since the beginning of the year, number of cases have erupted that indicate at this growing trend where attackers are using anti-viruses to disguise ransomware attacks. Cyber attackers have found a new shield in the form of anti-viruses.
0 kommentar(er)
