Since the beginning of the year, security firms observed a new intense ransomware campaign spreading the Shade ransomware.
Between January and February, a new, intense, ransomware campaign has been observed by many security firms. It spreads Shade/Treshold variants, one of the most dangerous threats in the cyber crime scenario, known since its massive infection into the Russian panorama back in 2015, its expansion has been tracked by several CSIRTs and CERTs all across the world. As stated in a recent Eset report, the Shade infection had an increase during October 2018, keeping a constant trend until the second half of December 2018, taking a break around Christmas, and then resuming in mid-January 2019 doubled in size (shown in Figure 1).
The last attack waves was pretty interesting because the criminals tried to impersonate Russian Oil and Gas companies, in particular the Russian’s “PAO NGK Slavneft”, probably to hit a portion of this industry segment. Cybaze-Yoroi ZLab analyzed some recent samples spreading during the last week.
This file acts as downloader in the infection chain, using a series of hard-coded server addresses, It heavily rely on obfuscation and encryption to avoid the antimalware detection.
A few round of debugging and decryption reveals its inner, cleartext code:
The figure above highlights some interesting details: if the first HTTP request fails, the second one is not sent, but the variable “qF” is initialized with the other malicious URL. It runs several times the payload only if the first server could be reached.
Once it gets in the websites, it uploads a copy of the executable code: using this approach the malware keeps creating backup copies to increase its resiliency to takeovers. However, the sample delivered in the last intercepted campaign is not configured to exploit this feature.
|Description||Fake image containing shade ransomware malware|
Table 1: shade ransomware informations.
Despite its popularity, the Shade payload, at the analysis time, did not show high detection rates: only a third of antimalware detected it (24/69), even if the behaviour of the threat is such harassing as recognizable. Shade encrypts all the user files using an AES encryption scheme. Then, it appends’em the “.crypted000007” suffix and creates the ransom note in each system’s folder, the text is written in both English and Russian language.
Navigating on the specified darknet website, it is shown a page containing a form to get in touch with the attacker, specifying the code extracted from ransom note and an email:
Analyzing other 2017’s threat reports, we noticed the address did not changed over time, different story for the email address.
Shade connects to its C2 server using embedded TOR libraries and downloads additional modules, such as the aforementioned “CMSBrute” or the “ZCash miner” one. The behavioural analysis session recorded the executions of the ZCash miner, stored in the “C:\ProgramData\SoftwareDistribution\” folder.
A quick review of the launching parameters shows interesting information:
- the type and the version of the mining client used by the attacker, a “NHEQ Miner” developed by Nicehash;
- the mining pool abused by the criminal;
- and the wallet ID (t1L9iBXyRgaYrQ5JSTSdstopV6pHtZ2Xdep)
Despite this important information, it’s difficult to identify the real cashed out amount because attackers typically use mixing techniques to divert the investigations. However, the mining pool dashboard provides a clue of the current number of infected machines.
The OSINT information available places the origin of the Treshold threat in the mid of the 2017, showing the attackers didn’t change too much their modus operandi and infrastructure, the same wallet ID has been maintained over the year, propagation techniques and patterns are quite constant too.
Moreover, the huge list of compromised sites, reported in the IoC section, demonstrates once again how the usage of weak credentials is leveraged by such kind of threat actors to enable profitable, years-long malicious campaign without deep and costly changes in their TTPs.
To read the original article:https://securityaffairs.co/wordpress/81358/malware/shade-ransomware.html