Dharma: A Malicious Ransomware In The Skin of an Anti-Virus Software








A family of ransomware has been infecting organizations around the globe and now has a new trick up its sleeve. A file-locking malware is being distributed disguised as anti-virus software.

“Dharma” happens to be the name of the infamous ransomware which has been linked to tens of cyber-crime episodes.

Dharma’s "executive working team" is all about creating and fabricating state-of –the-art attacks that are lucrative to the highest extent.

And by way of the recent stunt they’ve pulled they stand a handsome chance of extorting ransom payments in exchange for decrypting files and locked networks on the Windows system.

Actually, the ransomware poses to be an anti-virus software and hence the users are tricked into downloading and installing it.

The attacks like many others begin with “phishing emails” that claim to be from Microsoft and stating that the victim’s PC is under some risk, threat or is corrupted.

Luring the user into downloading the anti-virus by assessing a download link, if the user goes through with it, two downloads are retrieved.

According to sources, they are Dharma ransomware payload and an old version of anti-virus software from cyber security company ESET.

After the self-extracting archive runs, Dharma starts the file encrypting process. The user is guided to follow the installation instructions for ESET AV remover.

The interface gets displayed on their desktop but still requires user interaction during the installation process all the while distracting the user from the actual con.

The victim would immediately be confronted with a ransom note, once the installation gets done with, demanding crypto-currency in exchange for unlocking the file.

Malware have usually been hidden under skins of actually legitimate applications and software, in the above scenario an official unmodified ESET AV Remover was made use of.

Any other potential application could be exploited and used in this way to fool the not so well cyber-educated and even tech savvy users.

The file-locking malware is relatively new in the market but powerful nonetheless and with the enhanced tendencies of tactic and work being done on it.

Various cyber-cons still try to upgrade old threats and make use of latest techniques to wreak as much havoc as possible.

Ransomware happens to be an especially costly and dynamic threat which could hit in more than one ways.

The only way to not fall prey to such devastating attacks is securing email gateways, embracing better cyber-security manoeuvres, backing up files and constantly patching and updating.


Fake Kaspersky Antivirus app found on Google Play, Windows Phone Store

While Google Play Store is able to prevent malicious applications from being uploaded to the market,  Google still fails to prevent cyber criminals from uploading fake apps.

Last Month, Android Police discovered a fake Antivirus app on Google Play going by the name of 'Virus Shield' which fooled thousands of users into buying this app.

The story of fake Antivirus apps doesn't stop there.  Today, Experts at Kaspersky have discovered one more fake Antivirus app going by the name of 'Kaspersky Anti-virus 2014' on Google Play.

The fake version of Kaspersky was being sold for $4 that does nothing other than displaying the Kaspersky Logo.

Researchers also discovered that few fake apps were being sold at Windows Phone Store.  Some of them are 'Mozilla Mobile', 'Kaspersky Mobile', 'Avira Antivir' and the 'Virus Shield' apps.

The fake version of Kaspersky antivirus app for Windows phone pretends to be scanning your device but does nothing.


Few weeks back, when i was searching for TrueCaller app for my Windows phone, i also came across a fake paid Version of TrueCaller and other apps.  After i reported to Microsoft, they removed those apps from the store.

Just now, I also found a fake version of COMODO Antivirus for the windows phone which is being sold for $1.49.  This fake app was uploaded by cheedella suresh( The name appears to be South Indian name).


As you can see, the developer has also uploaded few other fake apps in Windows phone store.  These apps have been uploaded in the recent months(April- May).

Malvertising on Aftonbladet news site targets IE users with Fake Antivirus

A largest Sweden Newspaper website Aftonbladet is found to be serving malicious ads that redirect users to a malicious website serving Fake Antivirus.

Security researcher at Kaspersky said the website was spreading malware not because they got hacked, but because cybercriminals compromised a third-party ads running on the site.

The malicious script used in the malvertising attack checks whether the user is using Internet Explorer browser or not.  Only IE users are being redirected to malware website.

The malware page is not exploiting any vulnerabilities but displays a fake virus alert message from Microsoft Security essential that it has detected potential threats in the user's computer and recommends to clean the malware.

Once user click on the picture, it will not clean any viruses, it will download a malicious obfuscated Visual Basic Executable file. 

"Large websites often include content from other websites, and if the bad guys compromise any of those websites they can also manipulate the content which is getting included by the large website." researcher said.

Antivirus that will alert about Criminal and Illegal content for $500

Isn't the title interesting?! There is no such Antivirus that will alert about criminal and illegal content.  It is being advertised in recently discovered ransomware.

Ransomware usually lock the victim's system or browser and displays a warning message pretending be from FBI or any other authority.  It will inform victims that their system is locked because of their illegal activities and asks them to pay money to unlock  it.

A new ransomware spotted by Malwarebytes team interestingly informs the victims that "Your criminal records have been deleted". 


The malware also suggest the victims to buy an Antivirus for $500 from them in order to unlock the system and avoid other legal consequences.

Those who fall for this scam end up in paying around $1200 dollars.  As i said earlier,  there is no such kind of antivirus exist.  After paying ransom, you will just receive a message "your browser will be unlocked within 12 hours" nothing else.

New Fake AV 'Antivirus System' can't be removed from Safe Mode with networking


These days when malicious softwares, virus and trojans are are so rampant no wonder fake antivirus are also common. A perfect example is “Antivirus System,” a Fake AV analyzed by experts from Webroot.

The antivirus system scans the files of the user and then reports some threats which must be cleared as soon as possible. To remove them the app must be registered which requires certain amount of money.

In addition, the Fake AV also sports some features that are common for legitimate security solutions.(Reports news.softpedia)

In many cases such threats are easy to remove by booting uo the computer in safe mode and scanning the device with authentic antivirus product.

Well the Antivirus System is not that easy to remove since the malware injects itself into the explorer shell, which is loaded in safe mode as well. This hinders the user from starting any executable.

Nevertheless, this does not mean that you just have to waste your money and activate the product since there is always a way out.

At first an antivirus solution should diminish the malware before it affects the system and if it has infected your system these are the steps you should follow:-
*Start your computer in safe mode with command prompt.(this dosen't launch explorer shell, so the fake AV will be inactive.)

*Then, create a new administrator account by typing “control nusrmgr.cpl.”

*Once the account is created, reboot the computer and log in to the new account.

Now this new account is unaffected by the virus and you are free to remove the malicious software off your computer. But beware the next time.

70% Antivirus Solutions still fails to detect Fake AV


Fake Antivirus (scareware) also referred as Rogue Security software, is one of the most frequently encountered malware threats which pretends to be legitimate security software.

Fake AV attempts to scare victims into believing their system is infected with malwares that do not really exist. It will continue to display annoying fake virus warnings and asks victims to pay money to clean up the non-existent malwares.

The recent research from Zscalar researchers shows that more than 70% legitimate Antivirus application(12/43) fails to detect the fake AV. Three years back, the detection ratio of Fake Av is 6/41.

Fortunately, Google Safe browsing and Internet Explorer (Smart Screen Filters) blocked the malicious page which serves the Fake Av.

According to the researchers, the malware disable the Firewall and existing AV solutions, disables AV updates, disables security warnings and sets itself as the default AV solution.

The malware further downloads and runs the file called 'data.exe' from a malicious domain which is blocked by Google Safe browsing, but the exe is detected by only 9/46 AV.