Troldesh in a new mask: the next wave of mass distribution of the ransomware virus
From the beginning of today to the present, JSOC CERT experts have recorded a massive malicious distribution of the Troldesh ransomware virus. Its functionality is wider than just an encryptor: in addition to the encryption module, it has the ability to remotely control a workstation and reload additional modules. In March of this year, we already informed about the Troldesh epidemic - then the virus masked its delivery using IoT devices. Now, vulnerable versions of WordPress and the cgi-bin interface are used for this.
The newsletter is conducted from different addresses and contains in the body of the letter a link to compromised web resources with WordPress components. The link contains an archive containing a script in the Javascript language. As a result of its execution, the Troldesh ransomware is downloaded and launched.
Malicious messages are not detected by most protection tools, since they contain a link to a legitimate web resource, however, the encryptor itself is currently detected by most manufacturers of anti-virus software. Note: since the malware communicates with C&C servers located on the Tor network, it is potentially possible to download additional external load modules to the infected machine that can “enrich” it.
Of the common signs of this newsletter, you can note:
(1) An example of a newsletter topic - “About Order”
(2) all links have an external similarity - they contain the keywords / wp-content / and / doc /, for example:
Horsesmouth [.] Org / wp-content / themes / InspiredBits / images / dummy / doc / doc /
www.montessori-academy [.] org / wp-content / themes / campus / mythology-core / core-assets / images / social-icons / long-shadow / doc /
chestnutplacejp [.] com / wp-content / ai1wm-backups / doc /
(3) malware accesses through Tor c various management servers
(4) the file Filename is created: C: \ ProgramData \ Windows \ csrss.exe, it is written in the registry in the SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run branch (the parameter name is Client Server Runtime Subsystem).
We recommend that you verify the relevance of the anti-virus software databases, consider informing employees about this threat, and, if possible, tighten control over incoming emails with the above signs.
The newsletter is conducted from different addresses and contains in the body of the letter a link to compromised web resources with WordPress components. The link contains an archive containing a script in the Javascript language. As a result of its execution, the Troldesh ransomware is downloaded and launched.
Malicious messages are not detected by most protection tools, since they contain a link to a legitimate web resource, however, the encryptor itself is currently detected by most manufacturers of anti-virus software. Note: since the malware communicates with C&C servers located on the Tor network, it is potentially possible to download additional external load modules to the infected machine that can “enrich” it.
Of the common signs of this newsletter, you can note:
(1) An example of a newsletter topic - “About Order”
(2) all links have an external similarity - they contain the keywords / wp-content / and / doc /, for example:
Horsesmouth [.] Org / wp-content / themes / InspiredBits / images / dummy / doc / doc /
www.montessori-academy [.] org / wp-content / themes / campus / mythology-core / core-assets / images / social-icons / long-shadow / doc /
chestnutplacejp [.] com / wp-content / ai1wm-backups / doc /
(3) malware accesses through Tor c various management servers
(4) the file Filename is created: C: \ ProgramData \ Windows \ csrss.exe, it is written in the registry in the SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run branch (the parameter name is Client Server Runtime Subsystem).
We recommend that you verify the relevance of the anti-virus software databases, consider informing employees about this threat, and, if possible, tighten control over incoming emails with the above signs.
All Articles