On the 19th of April, the Cofense Phishing Defense Center received an email crafted to appear to be from “Sberbank Russia.” In fact, it was a phishing email containing the Troldesh malware, a variant of Russian Ransomware first seen in mid-2015. The PDC hadn’t seen this variant for quite some time.
Beyond phishing distribution, Troldesh has been used to target thousands of vulnerable WordPress (admin login) sites as tracked by Wordfence researchers in August 2017. During an analysis, we found 1,254 Word Press Administrator login pages in one of the malicious process’s memory.
If successful, it will upload the malicious file onto the website to encrypt the files and extort ransom from the site owner. It allows the victim to interact with the threat actor via email and even grants discounts on ransoms.
Here’s what the email looked like.
The email body was in Russian as demonstrated in figure 1.
The email seems to be coming from prohorov.s[@]tmmu[.]ru, but our analysis of the email header revealed that the email was actually sent from lightxp[@]ombaksalary[.]pl. The email prompts the user to click on a link that points to sberbank[.]ru/blinov. Inspecting the link reveals it to be a hyperlink, in reality pointing to hxxp://moolianco[.]com/templates/jm_plus/css/?\\\.
File name: vipiska[.]po[.]schetu[.]xls[.]zip
File Size: 9,230 Bytes
FILE name: éd»¿ß¬á »« ßtÑGp[.]xls[.]js
File Size: 22,177 Bytes
IP address: 38[.]99[.]139[.]142
(At the time of analysis, this URL was not responding and returned a 404 error.)
IP address: 103[.]21[.]58[.]231
Downloaded Malicious file:
Depending on the system configuration and IP location, one of four files is retrieved:
File name: 1.exe / rad678F8.tmp/ csrss.exe
File size: 1,449,472 Bytes
File Name: C0DD6334.exe/csrss.exe
File Size: 1,032,704 Bytes
File Name: 76D18926.exe/csrss.exe
File Size: 887,808 Bytes
File Name: 508EE6C3.exe
File Size: 1,497,600 Bytes
When one of the files above is downloaded and executed, it immediately spawns cmd.exe and initiates the rad678F8.tmp as a child process as shown in figure 2.
The process starts making connections to various other domains, including domains on the TOR network which can be seen in figure 3.
On successful completion of importing the encryption keys and setting up persistence on the victim’s system, the machine is encrypted and presented with the following screen, including several Readme.txt file dropped to the victim’s desktop. The read me file instructs the victim to send an email to pilotpilot088[@]gmail[.]com with the given code for further instruction as demonstrated in figure 4.
Files which are encrypted are renamed with a .CRYPTED000007 file extension.
To achieve persistence, the malware changes the registry keys under the following locations of the registry:
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (64 Bit System)
HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run (32 Bit System)
Be on the lookout!
The Troldesh variant appears to be coming back. Businesses and individuals should take precautionary measures to avoid having their machines encrypted and facing ransom demands. Security analysts or operators should be alert for phishing emails that lure users to click on a link or download innocent-looking files to infect their machines. Virtually any type of business, as well as individual website owners, are potential targets.
To see the past year’s malware trends and what to expect now, read the Cofense Malware Review 2018.