Dharma: A Malicious Ransomware In The Skin of an Anti-Virus Software








A family of ransomware has been infecting organizations around the globe and now has a new trick up its sleeve. A file-locking malware is being distributed disguised as anti-virus software.

“Dharma” happens to be the name of the infamous ransomware which has been linked to tens of cyber-crime episodes.

Dharma’s "executive working team" is all about creating and fabricating state-of –the-art attacks that are lucrative to the highest extent.

And by way of the recent stunt they’ve pulled they stand a handsome chance of extorting ransom payments in exchange for decrypting files and locked networks on the Windows system.

Actually, the ransomware poses to be an anti-virus software and hence the users are tricked into downloading and installing it.

The attacks like many others begin with “phishing emails” that claim to be from Microsoft and stating that the victim’s PC is under some risk, threat or is corrupted.

Luring the user into downloading the anti-virus by assessing a download link, if the user goes through with it, two downloads are retrieved.

According to sources, they are Dharma ransomware payload and an old version of anti-virus software from cyber security company ESET.

After the self-extracting archive runs, Dharma starts the file encrypting process. The user is guided to follow the installation instructions for ESET AV remover.

The interface gets displayed on their desktop but still requires user interaction during the installation process all the while distracting the user from the actual con.

The victim would immediately be confronted with a ransom note, once the installation gets done with, demanding crypto-currency in exchange for unlocking the file.

Malware have usually been hidden under skins of actually legitimate applications and software, in the above scenario an official unmodified ESET AV Remover was made use of.

Any other potential application could be exploited and used in this way to fool the not so well cyber-educated and even tech savvy users.

The file-locking malware is relatively new in the market but powerful nonetheless and with the enhanced tendencies of tactic and work being done on it.

Various cyber-cons still try to upgrade old threats and make use of latest techniques to wreak as much havoc as possible.

Ransomware happens to be an especially costly and dynamic threat which could hit in more than one ways.

The only way to not fall prey to such devastating attacks is securing email gateways, embracing better cyber-security manoeuvres, backing up files and constantly patching and updating.


Don't Dare Cancel Movie Tickets Online; You Could Be Subject To Fraud, "Vishing" To Blame!




A woman got scammed and was fraudulently ripped off of Rs.40,000 after she decided to cancel her movie tickets online. This is what exactly happened.


Reportedly a resident of Jankipuram, Lucknow, the aforementioned lady cancelled her movie tickets that she had booked via a popular website.

Things went sideways, when she called a "customer care executive" to claim a refund. 

This is a classic paradigm for "Vishing". The call version of Phishing, wrests money during the duration of the call.

Despite having cancelled her tickets within the stipulated period, the amount wasn't credited to her account.

She called the "customer care executive" and after he irritably answered she had to file a TOI report.

Furthermore she got a call from someone pretending to be from the ticket booking website she'd used.

The person lured her into giving away the details of her credit cards, putting up an act of helping her.

Pretty soon after the call was hung up, the woman noticed Rs. 40,000 missing from her account.


As customary to a "Vishing" fraud, the victim receives a call where the caller pretends to be a representative of a company.

To keep up the pretense, the caller would ask for the victim's details like name, date of birth and mobile number. Furthermore, the call's made from a landline.

The next step is pretty cliche. The victim ill be asked to reveal the details like their customer ID of online banking or credit/debit cards details.

Then come the bank account details followed by asking for the OTP on the victim's phone.

The main motive behind "Vishing" is hijacking the victim's online bank account and trying to harvest the money on it.

Cyber Tip:  No Legit Bank/Company Representative Would Ever Ask For Your Personal Details. Ever!

Phishing Attacks on Microsoft and Outlook; By Way of Microsoft’s Azure Blob Storage




Two major phishing campaigns have been discovered by the researchers which uses Microsoft’s Azure blob to steal details from Outlook and Microsoft accounts.


Both the campaigns employ real-looking landing pages which make use of SSL certificates and the windows.net domain to seem authentic.

The first phishing email goes around asking the receivers to log into their office 365 account to update the information.

The emails happened to have “Action Required: (email address) information is outdated-Re-validate now!!” in their subject boxes.

The moment a user clicks on the link provided in the mail, they will be directed to a landing page which fake-acts as the organization’s Outlook Web App.

This landing page is what does the main task of stealing the credentials from the user.

The second one works on stealing users’ Microsoft account details and credentials.

The process to lure in the user starts from Facebook’s workplace service and ends up taking the user to a Microsoft’s landing page.

This could either be s single-sign-on approach or a mixed up campaign for luring victims in.

The Microsoft account the users are brought to, is fairly legit looking as it uses the same form and the same background for that matter.

Both the landing pages make use of Azure Blog Storage to make them look convincing and as far as possible, legitimate.

All Microsoft Azure does is that is adds legitimacy to the landing pages used by the phishing-cons to target the Microsoft services.

The Azure Blob storage URLs use the windows.net domain making the landings look fairly legitimate.

One of the phishing links which is not in use anymore had the URL-  https://1drive6e1lj8tcmteh5m.z6.web.core.windows.net/ and the domain name seemed to do the trick.

Also, every URL on Azure Blob Storage happens to be using a wildcard SSL certificate from Microsoft, making every landing page get a “lock symbol”.

This would exhibit a Microsoft certificate every time a user would try to click on the certificate to check who signed, making the entire sham all the more believable.

To steer clear of such phishing attack one thing need to be kept in mind that the original login forms from Outlook and Microsoft could indubitably have outlook.com, live.com, and Microsoft.com as their domain names.


Hackers Delivering New Muncy Malware Worldwide through DHL Phishing Campaign



With malicious intentions of targeting the users across the globe, attackers are reported to be disseminating new dubbed Muncy malware in the form of EXE file through DHL phishing campaigns.

Resorting to malspam emails, DHL phishing is amongst the most far-reaching campaigns which distributed several sophisticated malware. They made it appear legitimate by exploiting the deplorable configuration of SMTP servers and by employing email spoofing techniques.

DHL is a company of global repute which specializes in providing express mail services, international couriers and parcels. The reputation of the well-established company took some hits by the cybercriminals as they abused it to distribute malware. 

They did so by configuring the malicious emails to appear to be coming from DHL express. The email comprised of an infected attachment in PDF format.

How the malware is executed?

As soon as the targeted user accesses the PDF attachment, Muncy Trojan file sneaks into the system. Then the packed malware is unpacked and once unpacked it scans the whole C:\ drive for the files containing sensitive data. 

Expert takes

Commenting on the matter, Pedro Tavares, Founder, and Pentester at CSIRT.UBI told the GBHackers, “The phishing campaign is trying to impersonate DHL shipment notification and the malware is attached in the email.”

“This malware is on the rise and is affecting user’s in-the-wild while stealing sensitive information from their devices.”