Iranian actors leveraged the Remote Desktop Protocol (RDP) as part of an international campaign to target companies with Dharma ransomware. Group-IB uncovered the campaign while conducting an incident response engagement for a Russian company in June 2020. As part of its investigation, the digital security solutions provider's digital forensics team found artifacts indicating that a group of inexperienced Persian-speaking actors had been responsible for an attempt to distribute Dharma on the affected company's network. The group first gained a foothold in the company after abusing its Internet-facing RDP along with weak credentials. Once inside the network, it exercised its ability to choose from several tools for the purpose of moving throughout the compromised network. Those solutions included Your Uninstaller. Available on an Iranian software sharing website, this tool enabled the actors to disable anti-virus solutions. The actors also had the option of downloading additional tools from Persian-speaking Telegram channels. At that point, the attackers used Advanced Port Scanner to map the compromised network for available hosts. It's then that they moved laterally by abusing RDP. On each host to which they moved, the actors dropped Dharma ransomware and demanded a ransom of 1-5 BTC.
Dharma ransomware note (Source: Bleeping Computer) Group-IB found that the forensic artifacts of the attack were present on other companies' networks in Russia, Japan, China and India. Each of those networks contained hosts with Internet-facing RDP and weak credentials. The security firm explained that it wasn't expecting to observe the use of Dharma among actors who are "far behind the level of sophistication of big league Iranian APTs." As quoted from its research:
It’s surprising that Dharma landed in the hands of Iranian script kiddies who used it for financial gain, as Iran has traditionally been a land of state-sponsored attackers engaged in espionage and sabotage. Despite that these cybercriminals use quite common tactics, techniques and procedures they have been quite effective.
Acknowledging that fact, Group-IB recommended that organizations change the default port used for RDP connections, implement account lockout policies and avail themselves of threat intelligence feeds. This news comes more than a year after researchers uncovered a new strain of ransomware known as “Phobos” that was using the same ransom note employed by Dharma to demand payment from its victims.