Introduction Earlier this week on Monday 2016-11-14, I found an example of malicious spam (malspam) distributing Troldesh ransomware. Troldesh (also called Filecoder or Shade) was initially reported in 2015 [1, 2]. That same year, I documented two examples of Troldesh ransomware delivered through exploit kit campaigns [3, 4]. By July 2016, Microsoft reported a new variant of Troldesh [5], and that seems to be the variant I found on Monday. This diary takes a closer look at this week's Troldesh infection in my lab environment. The malspam The emails I saw from this wave of malspam were disguised as an account change notification from Sberbank of Russia. The emails all had a link in the message that appears to be for sberbank.ru but is actually a completely different URL.
The malware The URL from the email redirected to another URL leading to a file named document.zip. Within that zip archive is an executable file with an .scr file extension. The name of the file uses Russian language characters that did not display properly on my Windows host.
Double-clicking the .scr file infected the Windows host, and the desktop quickly displayed indicators for a Troldesh ransomware infection.
The encrypted files all had .da_vinci_code as a file extension. This fits what Microsoft reported about the current variant of Troldesh ransomware [5].
I tried the Tor link for the feedback form for additional info.
The traffic The traffic is similar to what I saw from two Troldesh examples last year [3, 4]. This particular infection generated Tor traffic immediately after the ransomware was sent. The infected host also generated an IP address check in a manner consistent with Troldesh ransomware.
I checked the traffic against Snort 2.9.8.3 using the Snort subscription ruleset, and I also checked it on Security Onion running Suricata with the ET PRO ruleset.
Indicators of Compromise (IOCs) The following are IOCs associated with this infection. Link from the email and redirect URL to download the zip archive:
Downloaded zip archive - file name: document.zip
Extracted malware - file name: расчет_xls.scr
IP address check by the infected Windows host:
Tor traffic using various domains, IP addresses, and TCP ports. Final words A copy of the infection traffic, associated email, malware, and artifacts can be found here. Ultimately, Troldesh is one of the many families of malware we see from malspam on a near-daily basis. It remains profitable enough that criminals will not stop distributing it. We expect to find more samples of Troldesh and similar ransomware in the coming months. Fortunately, best security practices will help prevent infections like the example in today's diary. A good email filtering system, properly administered Windows hosts, and an educated workforce mean users are much less likely to be infected. --- [1] http://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/ |
Brad 387 Posts ISC Handler Nov 16th 2016 |
Thread locked Subscribe |
Nov 16th 2016 4 years ago |
Last week I checked a link I'd gotten from a phish forwarded to me by a user. I used a Linux VM to connect, and received a rather rude message in reply. I retried with a Windows VM and was disappointed to find it was only spam.
|
Anonymous |
Quote |
Nov 18th 2016 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!