Troldesh ransomware using compromised websites as intermediary malware distributors.
The malware often uses a PHP file that acts as a delivery tool for downloading the host malware dropper:
hxxp://websiteransom[.]com/cgi-bin/[redacted].php
This type of infected URL is usually spread through malicious emails or through services like social media.
Malicious “JSC Airline” JScript File
Once a victim clicks the URL and loads it, a JScript file downloads to the victim’s computer. This malware targets Windows OS, which uses JScript: ./Подробности заказа ОАО Авиакомпания Уральские авиалинии.js
The JScript filename is written in Russian and translates to “Details of the order of JSC Airline Ural Airlines”, indicating that attackers may have been attempting to spoof this airline company to trick victims.
This malicious file is the host-based malware dropper. When executed (e.g victim loads the JScript file), it begins the process of infecting the victim’s computer by prepping the download of the actual ransomware executable file:
In this JScript file, the variables NH and LC contain the URLs of the compromised websites hosting the ransomware malware. It looks like the bad actors use at least two separate compromised websites for redundancy in case one of them should stop working (e.g website is suspended by their web host or malware is otherwise removed/inaccessible).
Ransomware Data Stored in Random Directories
If your AV or anti-malware software doesn’t block the execution, the ransomware begins the process of encrypting your files by using two separate keys—one key encrypts the filenames and the other encrypts the actual file contents.
TOR .onion URLs
Interestingly enough, the attacker also provides a TOR .onion URL in the README.txt file, which is only used if the victim cannot reach the malicious user via their provided email address:
http://zsn-paper.blogspot.com
Post a Comment
Post a Comment