Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Juniper Employee , Juniper Employee Juniper Employee
Threat Research
Troldesh Campaign: Ransomware with Cryptominer in tow
Dec 25, 2018



Juniper Threat Labs was recently investigating and analyzing the resurgence of Troldesh ransomware and during our investigation, we gained a few insights into their operation. What we found is that the threat actors implemented a coordinated operation by using other modules to distribute their malware. They use a CMS bruteforcer module that is responsible for infecting loosely configured CMS sites that are used as download servers. They monetized their operation via ransomware and cryptomining. They also use TOR for all of their network communication to give them anonymity.

A Brief History of Troldesh

Troldesh (a.k.a Shade) ransomware emerged in late 2014/early 2015 and was discovered by Kaspersky security researchers. The first versions had .xbtl or .cbtl for encrypted files. Some versions also append .da_vinci_code or .magic_software_syndicate. In July 2016, Kaspersky and McAfee released a decryptor tool for versions 1 and 2. In November 2016, a new version of Troldesh emerged with extension .no_more_ransom, which seemed to take a hit at, which hosts decrypter tools for ransomware. Then towards the second half of 2017, new versions arose that added .dexter and .crypted000007.


The sample we discovered adds .crypted000007 onto the encrypted files and is currently version Unfortunately, this sample is not yet supported by the decryptor tools mentioned above.


A few days ago, security researchers discovered a Russian Malspam campaign which distributes Troldesh ransomware.  Below is a sample spam mail:

pasted image 0.png

The spam campaign contains an attachment in a zip format. Inside the zip file is a malicious JS file that downloads Troldesh from sites hosted on CMS, such as WordPress.

Technical Details

The succeeding information will focus on the sample 94e39e9710ab725aefe4d7dffe3b93e447210e3b322666b9c8d42b3622094878 that we found. It was hosted on several sites such as follows:


  • http://venta[.]pk/store/banners/sserv[.]jpg
  • http://healthcuresandremedies[.]site/wp-admin/css/colors/blue/sserv[.]jpg
  • http://olatheyouthsymphony[.]org/wp-content/ai1wm-backups/sserv[.]jpg
  • http://grandholidayvacations[.]in/AdminEmail/admin/css/sserv[.]jpg
  • http://immergasteknikservisibursa[.]com/js/views/sserv[.]jpg
  • http://therentcloud[.]com/[.]well-known/acme-challenge/sserv[.]jpg
  • http://alaml[.]org/wp-content/themes/twentyseventeen/assets/css/sserv[.]jpg
  • http://renebarrientoslavilla[.]escueladelvendedor[.]info/wp-content/languages/plugins/sserv[.]jpg
  • http://restaurante[.]escueladelvendedor[.]info/[.]well-known/acme-challenge/sserv[.]jpg
  • http://lmfassociation[.]com/wp-content/languages/plugins/sserv[.]jpg
  • http://cuellaralquileres[.]escueladelvendedor[.]info/[.]well-known/acme-challenge/sserv[.]jpg
  • http://zamoranopye[.]escueladelvendedor[.]info/wp-includes/ID3/sserv[.]jpg
  • http://relevant-energy[.]com/[.]well-known/pki-validation/sserv[.]jpg
  • http://www[.]tatilgezirehberim[.]com/wp-content/themes/colormag/js/fitvids/sserv[.]jpg
  • http://tatilgezirehberim[.]com/wp-content/themes/colormag/js/fitvids/sserv[.]jpg
  • http://missbelt[.]site/cdn-cgi/l/sserv[.]jpg
  • http://maxinvestmenthk[.]com/wp-admin/css/colors/blue/sserv[.]jpg
  • http://khifit[.]com/wp-content/themes/bridge/widgets/lib/sserv[.]jpg
  • http://anverveintitres[.]escueladelvendedor[.]info/wp-includes/ID3/sserv[.]jpg
  • http://rolandocaceres[.]escueladelvendedor[.]info/[.]well-known/acme-challenge/sserv[.]jpg
  • http://alejandromunozfotografia[.]escueladelvendedor[.]info/[.]well-known/acme-challenge/sserv[.]jpg
  • http://educaciontecnicasuperior[.]vendedores[.]club/[.]well-known/acme-challenge/sserv[.]jpg
  • http://healthcuresandremedies[.]site/wp-admin/css/colors/blue/sserv[.]jpg
  • http://venta[.]pk/store/banners/sserv[.]jpg
  • http://laguartis[.]com/cgi-bin/sserv[.]jpg

It was being downloaded by a malicious JavaScript that was attached in spam such as the Russian malspam discussed above.


The file has the following properties:

  • 2 layer packer (custom packer + UPX)
  • Strings encryption/obfuscation
  • Dynamic resolving of APIs
  • Static linking of TOR client

It then saves its configuration file in the registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration

pasted image 2.png



Version of this Troldesh malware






ID of the bot infected machine









Appears to be count of the infected bot












-----END PUBLIC KEY-----

Public Key for encryption



Some b64 encoded debug messages



Some b64 encoded debug messages











It scans for target files to encrypt and after encrypting the file, it changes the filename to b64-{ID of the bot}.crypted000007 such as below.


  • lN2xy8BTJ+rx5x3Zlg5S9w==.8FCA60D68B6118B5D002.crypted000007
  • oA8nlrL4538VZoIaynjSZegdZbAzgMbg1pVsRrgbGV4=.8FCA60D68B6118B5D002.crypted000007
  • v2SQtZqB527BYZaIQLlwWw==.8FCA60D68B6118B5D002.crypted000007

It drops README1.txt - README10.txt into the desktop, which contains the following:

pasted image 3.png

Notable indicators:

  • http://cryptsen7fo43rr6[.]
  • http://cryptsen7fo43rr6[.]


It also changes the desktop wallpaper to the below image:

pasted image 4.png

Then it drops a copy of itself in:

  • %ProgramData%\Windows\csrss.exe


It creates the following autostart entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    • Name: Client Server Runtime Subsystem

    • Value: "C:\ProgramData\Windows\csrss.exe"


The CnC server is a4ad4ip2xzclh6fd.onion. It uses the TOR client in its body to connect to this server. This ensures that all communication is encrypted.


Secondary Downloads

Not only does Troldesh encrypt files such as a typical ransomware, but it also downloads additional modules for various purposes. The samples downloaded have similar file properties as the main file and also contact C2 servers via TOR. This leads us to believe that these modules are likely developed by the same group. During our analysis, it was able to download the following samples into the %TEMP% folder:

  • CMS (Content Management Systems) brute-forcer

  • Zcash Miner

  • Mining Related file


CMS Brute-forcer

This sample has a similar structure to the main file and it also has TOR client in its body. It is downloaded in the %TEMP% folder but it drops itself in other folders and creates an autostart entry.

pasted image 6.png


Affected content management systems (CMS) are:

  • WordPress
  • Drupal
  • Joomla
  • DLE


It connects to its C2 server x5oemza3jjjeb7j3.onion


Drop Folder

  • C:\ProgramData\drivers\csrss.exe


Autorun Entry

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Value = Client Server Runtime Process

Data = C:\ProgramData\drivers\csrss.exe

CMS Brute-forcer Component

This is packed with UPX and has a similar file structure to that of the main file. Aside from TOR client in its body, it also includes a Mail client. It is downloaded in the %TEMP% folder, but it drops itself into other folders and creates an autostart entry. We initially thought that it is some type of a mailer program because of the strings we found in the unpacked sample such as below.



pasted image 7.png



However, further analysis reveals that this is related to the CMS Bruteforcer. This process connects to some sites on port 80 and did SQL injection attempts. Below are some of the SQL injection attempts for some sites.


It connects to its CnC server s2oxwaedphciavio.onion.

Drop Folder

  • C:\ProgramData\services\csrss.exe


Autorun Entry

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Value = Windows Session Manager

Data = C:\ProgramData\services\csrss.exe



Zcash Miner

This sample is downloaded into the %TEMP% folder and is packed with UPX. It downloads the Zcash miner program and saves it as %ProgramData%\SoftwareDistribution\nheqminer32.exe. It then executes this file with the following arguments:


-l -u t1L9iBXyRgaYrQ5JSTSdstopV6pHtZ2Xdep.F7C16393 -t 1

pasted image 8.png

As of this writing, the wallet has 4.7 ZEC which is around ~$250


pasted image 9.png

Mining Related Malware

We do not yet know much about the use of this malware, but based on the indicators we found on the file we believe that this malware has some cryptomining functions. We found three Base-64 encoded wallets.

pasted image 10.png










We looked at the wallets above to give as an idea about how these are being used in operations and found some interesting finding. The wallet 0xb8164e59a7a3223855a1cebc39fda6f923856100 is an etherium wallet which only has 7 transactions for the past 111 days.


pasted image 11.png


Three transactions are from Ethermine, which indicates that the monetization through mining is working. And, all amounts are being transferred to this address 0x4FED1fC4144c223aE3C1553be203cDFcbD38C581. If we look at this address, it has an Ether value of $181,083 USD as of this writing, which is relatively large.


pasted image 12.png


Looking at the comments, this wallet is involved in fraudulent transactions.


pasted image 13.png


The wallet 1QKPvh8QS65SWPbVj8T2SrVGcJiMAkNXk6 is a bitcoin wallet. If we look at it, it only has ~$1,000 USD equivalent in bitcoins. We cannot find connections to other larger wallets with fraudulent activities.


pasted image 14.png



The third wallet appears to be a ZCash wallet but we cannot track its current value.



Connecting The Dots

Based on the analyzed samples above, we are led to believe that the Troldesh threat actors are conducting coordinated malware operations. We think that the mailer malware is used for distribution. The CMS bruteforcer is used to infect CMS sites for their payload. This gives them several advantages like anonymity and resilience as these are not just one server, but multiple infected sites to deliver their payload. They monetize their operation by the using ransomware and cryptomining. It is also possible that they can push other malwares.





Troldesh Main File


CMS Brute-forcer


Mining Related Malware


CMS Brute-forcer component


Zcash Miner Downloader


Troldesh C2


Mining Related C2


CMS Brute-forcer C2


CMS Brute-forcer Component C2


ZCash Miner C2


Likely Troldesh download server



We are still uncovering the full details around each module and will provide updates with more detail as available.

We believe that the threat actors and developers of this malware are clever to establish the following:

  • TOR communication that gives them anonymity. It also makes detection and analysis harder as traffic is encrypted.
  • Using loosely configured CMS sites as it gives them more robust download servers.  They do not need to setup their own download servers. And even if one download server is cleaned up, they can still use other download servers.
  • Using cryptomining to monetize their operation aside from ransomware.


Juniper security solutions detect these samples as follows.


Juniper Sky Advanced Threat Prevention (Sky ATP) used with SRX Series next-generation firewalls:

pasted image 15.png


Juniper Advanced Threat Prevention Appliances (JATP):


pasted image 16.png