HackDig : Dig high-quality web security articles for hacker

Malspam distributing Troldesh ransomware, (Wed, Nov 16th)

2016-11-20 01:20


Earlier this week on Monday 2016-11-14, I found an example of malicious spam (malspam) distributing Troldesh ransomware. Troldesh (also called Filecoder or Shade) was initially reported in 2015 [1, 2]. That same year, I documented two examples of Troldesh ransomware delivered through exploit kit campaigns [3, 4]. By July 2016, Microsoft reported a new variant of Troldesh [5], and that seems to be the variant I found on Monday.

This diary takes a closer look at this weeks Troldesh infection in my lab environment.

The malspam

The emails I saw from this wave of malspam were disguised as an account change notification from Sberbank of Russia." />
Shown above:" />
Shown above: Google translation of the Russian language text.

The malware

The URL from the email redirected to another URL leading to a file named document.zip. Within that zip archive is an executable file with an .scr file extension." />
Shown above:" />
Shown above: Desktop of an infected Windows host.

The encrypted files all had .da_vinci_code as a file extension." />
Shown above:" />
Shown above:" />
Shown above: Translation of the feedback form to English.

The traffic

The traffic is similar to what I saw from two Troldesh examples last year [3, 4]. This particular infection generated Tor traffic immediately after the ransomware was sent." />
Shown above:" />
Shown above:" />
Shown above: Some of the alerts seen from the Snort ruleset.

Indicators of Compromise (IOCs)

The following are IOCs associated with this infection.

Link from the email and redirect URL to download the zip archive:

  • port 80 - www.hizlikiralikforklift.com - GET /wp-content/themes/nanocrea/document.html
  • port 80 - appitel.fr - GET /vcard/Philippe/rw_common/themes/affero/document.zip

Downloaded zip archive - file name: document.zip

  • SHA256 hash: 99d54e5c2e033d7703d9f449662bfcef1cb2ea0933dcfe0ca97e13e83cb9177b

Extracted malware - file name: _xls.scr

  • SHA256 hash: 749ed7d4fc97baa5e1068154fd642b23e9981f273fb18da2e02a8d925d7ca4d8

IP address check by the infected Windows host:

  • whatismyipaddress.com - GET /

Tor traffic using various domains, IP addresses, and TCP ports.

Final words

A copy of the infection traffic, associated email, malware, and artifacts can be found here.

Ultimately, Troldesh is one of the many families of malware we see from malspam on a near-daily basis. It remains profitable enough that criminals will not stop distributing it. We expect to find more samples of Troldesh and similar ransomware in the coming months.

Fortunately, best security practices will help prevent infections like the example in todays diary. A good email filtering system, properly administered Windows hosts, and an educated workforce mean users are much less likely to be infected.

Brad Duncan
brad [at] malware-traffic-analysis.net

[1] http://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/
[2] https://blogs.technet.microsoft.com/mmpc/2015/08/09/emerging-ransomware-troldesh/
[3] http://www.malware-traffic-analysis.net/2015/04/09/index.html
[4] http://www.malware-traffic-analysis.net/2015/09/18/index.html
[5] https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: ssr;pma&71712=diyrots?lmth.yraid/ude.snas.csi

Read:2833 | Comments:0 | Tags:No Tag

“Malspam distributing Troldesh ransomware, (Wed, Nov 16th)”0 Comments

Submit A Comment



Blog :

Verification Code: