Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Juniper Employee , Juniper Employee Juniper Employee
Threat Research
Troldesh Campaign: Ransomware with Cryptominer in tow
Dec 25, 2018

 

troldesh_main_image.png 

Juniper Threat Labs was recently investigating and analyzing the resurgence of Troldesh ransomware and during our investigation, we gained a few insights into their operation. What we found is that the threat actors implemented a coordinated operation by using other modules to distribute their malware. They use a CMS bruteforcer module that is responsible for infecting loosely configured CMS sites that are used as download servers. They monetized their operation via ransomware and cryptomining. They also use TOR for all of their network communication to give them anonymity.

A Brief History of Troldesh

Troldesh (a.k.a Shade) ransomware emerged in late 2014/early 2015 and was discovered by Kaspersky security researchers. The first versions had .xbtl or .cbtl for encrypted files. Some versions also append .da_vinci_code or .magic_software_syndicate. In July 2016, Kaspersky and McAfee released a decryptor tool for versions 1 and 2. In November 2016, a new version of Troldesh emerged with extension .no_more_ransom, which seemed to take a hit at www.nomoreransom.org, which hosts decrypter tools for ransomware. Then towards the second half of 2017, new versions arose that added .dexter and .crypted000007.

 

The sample we discovered adds .crypted000007 onto the encrypted files and is currently version 4.0.0.1. Unfortunately, this sample is not yet supported by the decryptor tools mentioned above.

Malspam

A few days ago, security researchers discovered a Russian Malspam campaign which distributes Troldesh ransomware.  Below is a sample spam mail:


pasted image 0.png

The spam campaign contains an attachment in a zip format. Inside the zip file is a malicious JS file that downloads Troldesh from sites hosted on CMS, such as WordPress.

Technical Details

The succeeding information will focus on the sample 94e39e9710ab725aefe4d7dffe3b93e447210e3b322666b9c8d42b3622094878 that we found. It was hosted on several sites such as follows:

 

  • http://venta[.]pk/store/banners/sserv[.]jpg
  • http://healthcuresandremedies[.]site/wp-admin/css/colors/blue/sserv[.]jpg
  • http://olatheyouthsymphony[.]org/wp-content/ai1wm-backups/sserv[.]jpg
  • http://grandholidayvacations[.]in/AdminEmail/admin/css/sserv[.]jpg
  • http://immergasteknikservisibursa[.]com/js/views/sserv[.]jpg
  • http://therentcloud[.]com/[.]well-known/acme-challenge/sserv[.]jpg
  • http://alaml[.]org/wp-content/themes/twentyseventeen/assets/css/sserv[.]jpg
  • http://renebarrientoslavilla[.]escueladelvendedor[.]info/wp-content/languages/plugins/sserv[.]jpg
  • http://restaurante[.]escueladelvendedor[.]info/[.]well-known/acme-challenge/sserv[.]jpg
  • http://lmfassociation[.]com/wp-content/languages/plugins/sserv[.]jpg
  • http://cuellaralquileres[.]escueladelvendedor[.]info/[.]well-known/acme-challenge/sserv[.]jpg
  • http://zamoranopye[.]escueladelvendedor[.]info/wp-includes/ID3/sserv[.]jpg
  • http://relevant-energy[.]com/[.]well-known/pki-validation/sserv[.]jpg
  • http://www[.]tatilgezirehberim[.]com/wp-content/themes/colormag/js/fitvids/sserv[.]jpg
  • http://tatilgezirehberim[.]com/wp-content/themes/colormag/js/fitvids/sserv[.]jpg
  • http://missbelt[.]site/cdn-cgi/l/sserv[.]jpg
  • http://maxinvestmenthk[.]com/wp-admin/css/colors/blue/sserv[.]jpg
  • http://khifit[.]com/wp-content/themes/bridge/widgets/lib/sserv[.]jpg
  • http://anverveintitres[.]escueladelvendedor[.]info/wp-includes/ID3/sserv[.]jpg
  • http://rolandocaceres[.]escueladelvendedor[.]info/[.]well-known/acme-challenge/sserv[.]jpg
  • http://alejandromunozfotografia[.]escueladelvendedor[.]info/[.]well-known/acme-challenge/sserv[.]jpg
  • http://educaciontecnicasuperior[.]vendedores[.]club/[.]well-known/acme-challenge/sserv[.]jpg
  • http://healthcuresandremedies[.]site/wp-admin/css/colors/blue/sserv[.]jpg
  • http://venta[.]pk/store/banners/sserv[.]jpg
  • http://laguartis[.]com/cgi-bin/sserv[.]jpg



It was being downloaded by a malicious JavaScript that was attached in spam such as the Russian malspam discussed above.

 

The file has the following properties:

  • 2 layer packer (custom packer + UPX)
  • Strings encryption/obfuscation
  • Dynamic resolving of APIs
  • Static linking of TOR client

It then saves its configuration file in the registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration


pasted image 2.png

 

xVersion

4.0.0.1

Version of this Troldesh malware

xsys

1

 

xi

8FCA60D68B6118B5D002

ID of the bot infected machine

xmail

1

 

xmode

0

 

xcnt

6900

Appears to be count of the infected bot

xpk

-----BEGIN PUBLIC KEY-----

MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtbEbl1evB1pEfu+lMT44

1g/jTK+Qwx1mSmwtmx+R1rjbYTK/DsMZkxegByREoa2Rb3HiF6xFWMJlqLW1srJy

sSJemuOhuvFX6PnDhMib94xSjw+jeElGTQVEiO3/Ptk+tBvlYvPHCryTwZuYEXvi

I0Rm350LGH0qfrsdvujhY5Ks3xaCCdyjZL5sGK3s55Ne7K4WM5XBzhovm45RgfjO

PkWnxeywPPir360Q32DDgtCrnkpBbauzhT4UIOhQnBScFeEiSUfcwMAvr5UJco3i

KWDkyfbw0Y0fgL5BpoOVzOt733I8gXnCh8EWU5Xzued37eAKrcEbSbm02fMqq4tZ

LhrcEk4U9uuwFdDKWlKrC3zGqDVEcr+v0ITZ6lFudKQNF0R/8EpTAeiKVRmvXpUk

Wrxzj08Kpy+ocoHKMqi0/f4FJ9POKyniWtmcbKF7wEE1ppMoGkPEOjdkVsZqSw5Y

DtuySFw97aSek7+nzuGTvv922OLbHqswUxq8o6j+puhrAgMBAAE=

-----END PUBLIC KEY-----

Public Key for encryption

sh1

 

Some b64 encoded debug messages

sh2

 

Some b64 encoded debug messages

shsnt

1

 

shst

3

 

xstate

5

 

 

It scans for target files to encrypt and after encrypting the file, it changes the filename to b64-{ID of the bot}.crypted000007 such as below.

 

  • lN2xy8BTJ+rx5x3Zlg5S9w==.8FCA60D68B6118B5D002.crypted000007
  • oA8nlrL4538VZoIaynjSZegdZbAzgMbg1pVsRrgbGV4=.8FCA60D68B6118B5D002.crypted000007
  • v2SQtZqB527BYZaIQLlwWw==.8FCA60D68B6118B5D002.crypted000007

It drops README1.txt - README10.txt into the desktop, which contains the following:


pasted image 3.png

Notable indicators:

  • http://cryptsen7fo43rr6[.]onion.to
  • http://cryptsen7fo43rr6[.]onion.cab
  • pilotpilot088@gmail.com

 

It also changes the desktop wallpaper to the below image:


pasted image 4.png

Then it drops a copy of itself in:

  • %ProgramData%\Windows\csrss.exe

 

It creates the following autostart entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    • Name: Client Server Runtime Subsystem

    • Value: "C:\ProgramData\Windows\csrss.exe"

 

The CnC server is a4ad4ip2xzclh6fd.onion. It uses the TOR client in its body to connect to this server. This ensures that all communication is encrypted.

 

Secondary Downloads

Not only does Troldesh encrypt files such as a typical ransomware, but it also downloads additional modules for various purposes. The samples downloaded have similar file properties as the main file and also contact C2 servers via TOR. This leads us to believe that these modules are likely developed by the same group. During our analysis, it was able to download the following samples into the %TEMP% folder:

  • CMS (Content Management Systems) brute-forcer

  • Zcash Miner

  • Mining Related file

 

CMS Brute-forcer

This sample has a similar structure to the main file and it also has TOR client in its body. It is downloaded in the %TEMP% folder but it drops itself in other folders and creates an autostart entry.


pasted image 6.png

 

Affected content management systems (CMS) are:

  • WordPress
  • Drupal
  • Joomla
  • DLE

 

It connects to its C2 server x5oemza3jjjeb7j3.onion

 

Drop Folder

  • C:\ProgramData\drivers\csrss.exe

 

Autorun Entry

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Value = Client Server Runtime Process

Data = C:\ProgramData\drivers\csrss.exe



CMS Brute-forcer Component

This is packed with UPX and has a similar file structure to that of the main file. Aside from TOR client in its body, it also includes a Mail client. It is downloaded in the %TEMP% folder, but it drops itself into other folders and creates an autostart entry. We initially thought that it is some type of a mailer program because of the strings we found in the unpacked sample such as below.

 

 

pasted image 7.png

 

 

However, further analysis reveals that this is related to the CMS Bruteforcer. This process connects to some sites on port 80 and did SQL injection attempts. Below are some of the SQL injection attempts for some sites.

unnamed1.pngunnamed2.pngunnamed3.png

It connects to its CnC server s2oxwaedphciavio.onion.



Drop Folder

  • C:\ProgramData\services\csrss.exe

 

Autorun Entry

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Value = Windows Session Manager

Data = C:\ProgramData\services\csrss.exe

 

 

Zcash Miner

This sample is downloaded into the %TEMP% folder and is packed with UPX. It downloads the Zcash miner program and saves it as %ProgramData%\SoftwareDistribution\nheqminer32.exe. It then executes this file with the following arguments:

 

-l eu1-zcash.flypool.org:3333 -u t1L9iBXyRgaYrQ5JSTSdstopV6pHtZ2Xdep.F7C16393 -t 1

pasted image 8.png

As of this writing, the wallet has 4.7 ZEC which is around ~$250

 

pasted image 9.png

Mining Related Malware

We do not yet know much about the use of this malware, but based on the indicators we found on the file we believe that this malware has some cryptomining functions. We found three Base-64 encoded wallets.

pasted image 10.png

 

 

MHhiODE2NGU1OWE3YTMyMjM4NTVhMWNlYmMzOWZkYTZmOTIzODU2MTAw

0xb8164e59a7a3223855a1cebc39fda6f923856100

MVFLUHZoOFFTNjVTV1BiVmo4VDJTclZHY0ppTUFrTlhrNg==

1QKPvh8QS65SWPbVj8T2SrVGcJiMAkNXk6

dDFKQ3RuaWpBVDIzcDc1R3FqMmQ3WW9abkZ3dEFCcmhYYTg=

t1JCtnijAT23p75Gqj2d7YoZnFwtABrhXa8

 

We looked at the wallets above to give as an idea about how these are being used in operations and found some interesting finding. The wallet 0xb8164e59a7a3223855a1cebc39fda6f923856100 is an etherium wallet which only has 7 transactions for the past 111 days.

 

pasted image 11.png

 

Three transactions are from Ethermine, which indicates that the monetization through mining is working. And, all amounts are being transferred to this address 0x4FED1fC4144c223aE3C1553be203cDFcbD38C581. If we look at this address, it has an Ether value of $181,083 USD as of this writing, which is relatively large.

 

pasted image 12.png

 

Looking at the comments, this wallet is involved in fraudulent transactions.

 

pasted image 13.png

 

The wallet 1QKPvh8QS65SWPbVj8T2SrVGcJiMAkNXk6 is a bitcoin wallet. If we look at it, it only has ~$1,000 USD equivalent in bitcoins. We cannot find connections to other larger wallets with fraudulent activities.

 

pasted image 14.png

 

 

The third wallet appears to be a ZCash wallet but we cannot track its current value.

 

 

Connecting The Dots

Based on the analyzed samples above, we are led to believe that the Troldesh threat actors are conducting coordinated malware operations. We think that the mailer malware is used for distribution. The CMS bruteforcer is used to infect CMS sites for their payload. This gives them several advantages like anonymity and resilience as these are not just one server, but multiple infected sites to deliver their payload. They monetize their operation by the using ransomware and cryptomining. It is also possible that they can push other malwares.

main.png

IOC

 

94e39e9710ab725aefe4d7dffe3b93e447210e3b322666b9c8d42b3622094878

Troldesh Main File

9d3bac28e24a997c2d2b3a955b7f0d57494950a0269f1bf31dc45fb1dadcdb84

CMS Brute-forcer

9ff6b78524b83d667df34eb5e00bf47dc66ca2b4bb7f9422622103311eee3d6e

Mining Related Malware

2824a8ce0e65bb185a88ff1fe5f1df202405c42b6705a420dbc07c565a44b240

CMS Brute-forcer component

026e8c1bb6fda0bd89dd2d87ef95a8920df5ba331b74c604223f75e597069ded

Zcash Miner Downloader

a4ad4ip2xzclh6fd.onion

Troldesh C2

b2afikprcfzqdbcv.onion

Mining Related C2

x5oemza3jjjeb7j3.onion

CMS Brute-forcer C2

s2oxwaedphciavio.onion

CMS Brute-forcer Component C2

x6powec7tihrv7jm.onion

ZCash Miner C2

http://.*/.*/sserv.jpg

Likely Troldesh download server

 

Conclusion

We are still uncovering the full details around each module and will provide updates with more detail as available.

We believe that the threat actors and developers of this malware are clever to establish the following:

  • TOR communication that gives them anonymity. It also makes detection and analysis harder as traffic is encrypted.
  • Using loosely configured CMS sites as it gives them more robust download servers.  They do not need to setup their own download servers. And even if one download server is cleaned up, they can still use other download servers.
  • Using cryptomining to monetize their operation aside from ransomware.

 

Juniper security solutions detect these samples as follows.

 

Juniper Sky Advanced Threat Prevention (Sky ATP) used with SRX Series next-generation firewalls:

pasted image 15.png

 

Juniper Advanced Threat Prevention Appliances (JATP):

 

pasted image 16.png

 

 

 

References:

https://isc.sans.edu/forums/diary/Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24358/

https://securelist.com/shade-not-by-encryption-alone/75645/

https://securelist.com/the-shade-encryptor-a-double-threat/72087/

https://www.cyber.nj.gov/threat-profiles/ransomware-variants/troldesh

 

Top Kudoed Authors