Antivirus Tool Used by Dharma Ransomware to Hide Malicious Activity

Security researchers at Trend Micro have discovered the threat actors behind Dharma ransomware are using a legitimate AV tool to hide the malicious activities of their ransomware.

Dharma ransomware first surfaced in 2016 and has since been used in many attacks on businesses, in particular attacks on healthcare organizations in the United States. The ransomware variant is distributed via spam email which contains a link to a web page hosting a malicious file. The user is encouraged to download and execute that file, which starts the infection process.

This method of distribution and installation is typical of many ransomware and malware variants; however, a new technique is now being used to hide the activity of the ransomware.

The email messages claim that a security risk has been detected on the user’s computer which requires immediate attention. The message claims that 37.2% of the DISPLAY SYSTEM has been corrupted and antivirus software must be used to remove a malware infection before it results in permanent damage to system files and data theft.

The downloaded file is password protected. The user is provided with a password in the message body which must be entered to open the file. The password supplied to open the file is

The file is actually a self-extracting archive called Defender.exe, which downloads a file called taskhost.exe (Dharma) and an ESET antivirus file called Defender_nt32_enu.exe.

The ESTE AV tool is legitimate, albeit an old version of the software. The AV tool requires manual installation, and while that installation process is occurring, in the background Dharma ransomware is encrypting files. The AV tool is used to draw attention away from the file encryption.

To avoid the AV software interfering with the ransomware, it runs on a different instance. The malware and the AV tool are not linked, and file encryption will occur regardless of whether the AV tool is executed.

There are several steps that can be taken to block this attack and limit the harm caused. A secure email gateway should be implemented to stop this and other malicious emails from being delivered.

It is also important for users to be alert to the risk of ransomware and other malicious emails. There are signs that this email is not what it appears, namely the format of the email and the fact this is an unsolicited message requiring the download of an executable file. Security aware individuals should recognize the email as potentially malicious.

Naturally, to ensure that in the event of a ransomware attack, file recovery is possible without paying the ransom, all files should be regularly backed up and stored on a non-connected device or in the cloud. Businesses should also use the principle of least privilege and network segmentation to limit the harm caused in the event of a ransomware attack.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of