Malware

The Long Run of Shade Ransomware

Since the beginning of the year, security firms observed a new intense ransomware campaign spreading the Shade ransomware.

Between January and February, a new, intense, ransomware campaign has been observed by many security firms. It spreads Shade/Treshold variants, one of the most dangerous threats in the cyber crime scenario, known since its massive infection into the Russian panorama back in 2015, its expansion has been tracked by several CSIRTs and CERTs all across the world. As stated in a recent Eset report, the Shade infection had an increase during October 2018, keeping a constant trend until the second half of December 2018, taking a break around Christmas, and then resuming in mid-January 2019 doubled in size (shown in Figure 1).

Figure 1. Trend of malicious JavaScript downloading Shade ransomware (source: ESET).

The last attack waves was pretty interesting because the criminals tried to impersonate Russian Oil and Gas companies, in particular  the Russian’s “PAO NGK Slavneft”, probably to hit a portion of this industry segment. Cybaze-Yoroi ZLab analyzed some recent samples spreading during the last week.

Technical analysis

The chosen infection vector is the email one, usual and effective. The phishing email contains a .zip file named “slavneft.zakaz.zip”, which means something like “slavneft order” in English, showing a direct reference to “Slavneft”. It contains a russian speaking JavaScript file named “«ПАО «НГК «Славнефть» подробности заказа”, corresponding another time to “PAO NGK Slavneft order details”. 

Figure 2. References to an Oil-Gas company

This file acts as downloader in the infection chain, using a series of hard-coded server addresses, It heavily rely on obfuscation and encryption to avoid the antimalware detection.

Figure 3. JavaScript decryption routine

A few round of debugging and decryption reveals its inner, cleartext code:

Figure 4. Main of the JS script.

The figure above highlights some interesting details: if the first HTTP request fails, the second one is not sent, but the variable “qF” is initialized with the other malicious URL. It runs several times the payload only if the first server could be reached. 

Probably the JavaScript is under maintenance yet, so the attacker could insert other code lines next, in order to retrieve the sample from other sources.

All the resources loaded by the JavaScript downloader points to compromised websites, mostly running WordPress and Joomla CMSs. According to other firms, Treshold is able to leverage a “worm” module designed to search and brute-force the login pages of several known CMS applications, such as WordPress and Joomla; an odd coincidence.

Once it gets in the websites, it uploads a copy of the executable code: using this approach the malware keeps creating backup copies to increase its resiliency to takeovers. However, the sample delivered in the last intercepted campaign is not configured to exploit this feature.

Hashbf32e333d663fe20ab1c77d2f3f3af946fb159c51b1cd3b4b2afd6fc3e1897bb
ThreatShade ransomware
DescriptionFake image containing shade ransomware malware
Ssdeep24576:kcDD3THmsmB7K1k52fzgtv0HqIYG3yC3Q1KbeRho7KWU8RKDyAlAY:bTHmsq72zgtv0HYG37bD7KWU8UhV

Table 1: shade ransomware informations.

Despite its popularity, the Shade payload, at the analysis time, did not show high detection rates: only a third of antimalware detected it (24/69), even if the behaviour of the threat is such harassing as recognizable. Shade encrypts all the user files using an AES encryption scheme. Then, it appends’em the “.crypted000007” suffix and creates the ransom note in each system’s folder, the text is written in both English and Russian language.

Figure 5. VirusTotal view reporting the malware’s detection rate.
Figure 6. Background of the infected machine, after encryption phase.
Figure 7. Content of README.txt file.

Navigating on the specified darknet website, it is shown a page containing a form to get in touch with the attacker, specifying the code extracted from ransom note and an email:

Figure 8. Ransomware Onion website.

Analyzing other 2017’s threat reports, we noticed the address did not changed over time, different story for the email address.

Figure 9. Comparison between the ransom note of Shade 2019 (up) and Shade 2017 (down, source: SonicWall).

Shade connects to its C2 server using embedded TOR libraries and downloads additional modules, such as the aforementioned “CMSBrute” or the “ZCash miner” one. The behavioural analysis session recorded the executions of the ZCash miner, stored in the  “C:\ProgramData\SoftwareDistribution\” folder. 

Figure 10. Information about miner executable.

A quick review of the launching parameters shows interesting information:

  • the type and the version of the mining client used by the attacker,  a “NHEQ Miner” developed by Nicehash;
  • the mining pool abused by the criminal;
  • and the wallet ID (t1L9iBXyRgaYrQ5JSTSdstopV6pHtZ2Xdep)

Despite this important information, it’s difficult to identify the real cashed out amount because attackers typically use mixing techniques to divert the investigations. However, the mining pool dashboard provides a clue of the current number of infected machines.

Figure 11. Flypool dashboard reporting info about attacker’s wallet.

Conclusions

The  OSINT information available places the origin of the Treshold threat in the mid of the 2017, showing the attackers didn’t change too much their modus operandi and infrastructure, the same wallet ID has been maintained over the year, propagation techniques and patterns are quite constant too.

Moreover, the huge list of compromised sites, reported in the IoC section, demonstrates once again how the usage of weak credentials is leveraged by such kind of threat actors to enable profitable, years-long malicious campaign without deep and costly changes in their TTPs.

Further technical details, including IoCs are reported in the analysis published on the Yoroi blog.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Shade Ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

5 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

12 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

23 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.