Between January and February, a new, intense, ransomware campaign has been observed by many security firms. It spreads Shade/
The last attack waves was pretty interesting because the criminals tried to impersonate Russian Oil and Gas companies, in particular the Russian’s “PAO NGK Slavneft”, probably to hit a portion of this industry segment. Cybaze-Yoroi ZLab analyzed some recent samples spreading during the last week.
This file acts as downloader in the infection chain, using a series of hard-coded server addresses, It heavily rely on obfuscation and encryption to avoid the antimalware detection.
A few round of debugging and decryption reveals its inner, cleartext code:
The figure above highlights some interesting details: if the first HTTP request fails, the second one is not sent, but the variable “qF” is initialized with the other malicious URL. It runs several times the payload only if the first server could be reached.
Once it gets in the websites, it uploads a copy of the executable code: using this approach the malware keeps creating backup copies to increase its resiliency to takeovers. However, the sample delivered in the last intercepted campaign is not configured to exploit this feature.
|Fake image containing shade ransomware malware
Table 1: shade ransomware informations.
Despite its popularity, the Shade payload, at the analysis time, did not show high detection rates: only a third of antimalware detected it (24/69), even if the behaviour of the threat is such harassing as recognizable. Shade encrypts all the user files using an AES encryption scheme. Then, it appends’em the “.crypted000007” suffix and creates the ransom note in each system’s folder, the text is written in both English and Russian language.
Navigating on the specified darknet website, it is shown a page containing a form to get in touch with the attacker, specifying the code extracted from ransom note and an email:
Analyzing other 2017’s threat reports, we noticed the address did not changed over time, different story for the email address.
Shade connects to its C2 server using embedded TOR libraries and downloads additional modules, such as the aforementioned “CMSBrute” or the “ZCash miner” one. The behavioural analysis session recorded the executions of the ZCash miner, stored in the “C:\ProgramData\SoftwareDistribution\” folder.
A quick review of the launching parameters shows interesting information:
Despite this important information, it’s difficult to identify the real cashed out amount because attackers typically use mixing techniques to divert the investigations. However, the mining pool dashboard provides a clue of the current number of infected machines.
The OSINT information available places the origin of the Treshold threat in the mid of the 2017, showing the attackers didn’t change too much their modus operandi and infrastructure, the same wallet ID has been maintained over the year, propagation techniques and patterns are quite constant too.
Moreover, the huge list of compromised sites, reported in the IoC section, demonstrates once again how the usage of weak credentials is leveraged by such kind of threat actors to enable profitable, years-long malicious campaign without deep and costly changes in their TTPs.
Further technical details, including IoCs are reported in the analysis published on the Yoroi blog.