Pierluigi Paganini February 19, 2019

Since the beginning of the year, security firms observed a new intense ransomware campaign spreading the Shade ransomware.

Between January and February, a new, intense, ransomware campaign has been observed by many security firms. It spreads Shade/Treshold variants, one of the most dangerous threats in the cyber crime scenario, known since its massive infection into the Russian panorama back in 2015, its expansion has been tracked by several CSIRTs and CERTs all across the world. As stated in a recent Eset report, the Shade infection had an increase during October 2018, keeping a constant trend until the second half of December 2018, taking a break around Christmas, and then resuming in mid-January 2019 doubled in size (shown in Figure 1).

The last attack waves was pretty interesting because the criminals tried to impersonate Russian Oil and Gas companies, in particular  the Russian’s “PAO NGK Slavneft”, probably to hit a portion of this industry segment. Cybaze-Yoroi ZLab analyzed some recent samples spreading during the last week.

Technical analysis

The chosen infection vector is the email one, usual and effective. The phishing email contains a .zip file named “slavneft.zakaz.zip”, which means something like “slavneft order” in English, showing a direct reference to “Slavneft”. It contains a russian speaking JavaScript file named “«ПАО «НГК «Славнефть» подробности заказа”, corresponding another time to “PAO NGK Slavneft order details”. 

This file acts as downloader in the infection chain, using a series of hard-coded server addresses, It heavily rely on obfuscation and encryption to avoid the antimalware detection.

A few round of debugging and decryption reveals its inner, cleartext code:

The figure above highlights some interesting details: if the first HTTP request fails, the second one is not sent, but the variable “qF” is initialized with the other malicious URL. It runs several times the payload only if the first server could be reached. 

Probably the JavaScript is under maintenance yet, so the attacker could insert other code lines next, in order to retrieve the sample from other sources.

All the resources loaded by the JavaScript downloader points to compromised websites, mostly running WordPress and Joomla CMSs. According to other firms, Treshold is able to leverage a “worm” module designed to search and brute-force the login pages of several known CMS applications, such as WordPress and Joomla; an odd coincidence.

Once it gets in the websites, it uploads a copy of the executable code: using this approach the malware keeps creating backup copies to increase its resiliency to takeovers. However, the sample delivered in the last intercepted campaign is not configured to exploit this feature.

Table 1: shade ransomware informations.

Despite its popularity, the Shade payload, at the analysis time, did not show high detection rates: only a third of antimalware detected it (24/69), even if the behaviour of the threat is such harassing as recognizable. Shade encrypts all the user files using an AES encryption scheme. Then, it appends’em the “.crypted000007” suffix and creates the ransom note in each system’s folder, the text is written in both English and Russian language.

Navigating on the specified darknet website, it is shown a page containing a form to get in touch with the attacker, specifying the code extracted from ransom note and an email:

Analyzing other 2017’s threat reports, we noticed the address did not changed over time, different story for the email address.

Shade connects to its C2 server using embedded TOR libraries and downloads additional modules, such as the aforementioned “CMSBrute” or the “ZCash miner” one. The behavioural analysis session recorded the executions of the ZCash miner, stored in the  “C:\ProgramData\SoftwareDistribution\” folder. 

A quick review of the launching parameters shows interesting information:

• the type and the version of the mining client used by the attacker,  a “NHEQ Miner” developed by Nicehash;
• the mining pool abused by the criminal;
• and the wallet ID (t1L9iBXyRgaYrQ5JSTSdstopV6pHtZ2Xdep)

Despite this important information, it’s difficult to identify the real cashed out amount because attackers typically use mixing techniques to divert the investigations. However, the mining pool dashboard provides a clue of the current number of infected machines.

Conclusions

The  OSINT information available places the origin of the Treshold threat in the mid of the 2017, showing the attackers didn’t change too much their modus operandi and infrastructure, the same wallet ID has been maintained over the year, propagation techniques and patterns are quite constant too.

Moreover, the huge list of compromised sites, reported in the IoC section, demonstrates once again how the usage of weak credentials is leveraged by such kind of threat actors to enable profitable, years-long malicious campaign without deep and costly changes in their TTPs.

Further technical details, including IoCs are reported in the analysis published on the Yoroi blog.

Pierluigi Paganini

(SecurityAffairs – Shade Ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]