Troldesh Campaign: Ransomware with Cryptominer in tow
Dec 25, 2018
Juniper Threat Labswas recently investigating and analyzing the resurgence of Troldesh ransomware and during our investigation, we gained a few insights into their operation. What we found is that the threat actors implemented a coordinated operation by using other modules to distribute their malware. They use a CMS bruteforcer module that is responsible for infecting loosely configured CMS sites that are used as download servers. They monetized their operation via ransomware and cryptomining. They also use TOR for all of their network communication to give them anonymity.
A Brief History of Troldesh
Troldesh (a.k.a Shade) ransomware emerged in late 2014/early 2015 and was discovered by Kaspersky security researchers. The first versions had .xbtl or .cbtl for encrypted files. Some versions also append .da_vinci_code or .magic_software_syndicate. In July 2016, Kaspersky and McAfee released a decryptor tool for versions 1 and 2. In November 2016, a new version of Troldesh emerged with extension .no_more_ransom, which seemed to take a hit at www.nomoreransom.org, which hosts decrypter tools for ransomware. Then towards the second half of 2017, new versions arose that added .dexter and .crypted000007.
The sample we discovered adds .crypted000007 onto the encrypted files and is currently version 220.127.116.11. Unfortunately, this sample is not yet supported by the decryptor tools mentioned above.
The CnC server is a4ad4ip2xzclh6fd.onion. It uses the TOR client in its body to connect to this server. This ensures that all communication is encrypted.
Not only does Troldesh encrypt files such as a typical ransomware, but it also downloads additional modules for various purposes. The samples downloaded have similar file properties as the main file and also contact C2 servers via TOR. This leads us to believe that these modules are likely developed by the same group. During our analysis, it was able to download the following samples into the %TEMP% folder:
CMS (Content Management Systems) brute-forcer
Mining Related file
This sample has a similar structure to the main file and it also has TOR client in its body. It is downloaded in the %TEMP% folder but it drops itself in other folders and creates an autostart entry.
Affected content management systems (CMS) are:
It connects to its C2 server x5oemza3jjjeb7j3.onion
This is packed with UPX and has a similar file structure to that of the main file. Aside from TOR client in its body, it also includes a Mail client. It is downloaded in the %TEMP% folder, but it drops itself into other folders and creates an autostart entry. We initially thought that it is some type of a mailer program because of the strings we found in the unpacked sample such as below.
However, further analysis reveals that this is related to the CMS Bruteforcer. This process connects to some sites on port 80 and did SQL injection attempts. Below are some of the SQL injection attempts for some sites.
It connects to its CnC server s2oxwaedphciavio.onion.
This sample is downloaded into the %TEMP% folder and is packed with UPX. It downloads the Zcash miner program and saves it as %ProgramData%\SoftwareDistribution\nheqminer32.exe. It then executes this file with the following arguments:
As of this writing, the wallet has 4.7 ZEC which is around ~$250
Mining Related Malware
We do not yet know much about the use of this malware, but based on the indicators we found on the file we believe that this malware has some cryptomining functions. We found three Base-64 encoded wallets.
We looked at the wallets above to give as an idea about how these are being used in operations and found some interesting finding. The wallet 0xb8164e59a7a3223855a1cebc39fda6f923856100 is an etherium wallet which only has 7 transactions for the past 111 days.
Three transactions are from Ethermine, which indicates that the monetization through mining is working. And, all amounts are being transferred to this address 0x4FED1fC4144c223aE3C1553be203cDFcbD38C581. If we look at this address, it has an Ether value of $181,083 USD as of this writing, which is relatively large.
Looking at the comments, this wallet is involved in fraudulent transactions.
The wallet 1QKPvh8QS65SWPbVj8T2SrVGcJiMAkNXk6 is a bitcoin wallet. If we look at it, it only has ~$1,000 USD equivalent in bitcoins. We cannot find connections to other larger wallets with fraudulent activities.
The third wallet appears to be a ZCash wallet but we cannot track its current value.
Connecting The Dots
Based on the analyzed samples above, we are led to believe that the Troldesh threat actors are conducting coordinated malware operations. We think that the mailer malware is used for distribution. The CMS bruteforcer is used to infect CMS sites for their payload. This gives them several advantages like anonymity and resilience as these are not just one server, but multiple infected sites to deliver their payload. They monetize their operation by the using ransomware and cryptomining. It is also possible that they can push other malwares.
We are still uncovering the full details around each module and will provide updates with more detail as available.
We believe that the threat actors and developers of this malware are clever to establish the following:
TOR communication that gives them anonymity. It also makes detection and analysis harder as traffic is encrypted.
Using loosely configured CMS sites as it gives them more robust download servers. They do not need to setup their own download servers. And even if one download server is cleaned up, they can still use other download servers.
Using cryptomining to monetize their operation aside from ransomware.
Juniper security solutions detect these samples as follows.
Juniper Sky Advanced Threat Prevention (Sky ATP) used with SRX Series next-generation firewalls: