The campaign appears to be a follow-up to a malicious spam campaign that started distributing the Shade ransomware in October 2018.
The January 2019 campaign
Our telemetry shows the October 2018 campaign running at a consistent pace until the second half of December 2018, taking a break around Christmas, and then resuming in mid-January 2019 doubled in size, as seen in Figure 1. The drops in the graph are aligned with weekends, which suggests that the attackers favor company email addresses.
Based on our analysis, a typical attack in the January 2019 campaign starts with the delivery of an email written in Russian, with an attached ZIP archive named “info.zip” or “inf.zip”.
These malicious emails pose as order updates, seemingly coming from legitimate Russian organizations. The emails we have seen impersonate the Russian bank B&N Bank (note: recently merged with Otkritie Bank), and the retail chain Magnit. In one of the emails detected by ESET systems, the English translation is:
Subject: Details of the order
I’m sending to you the details of the order. The document is enclosed.
Denis Kudrashev, manager
Figure 4 - Example of a spam email used in the January 2019 campaign
The malicious loader is downloaded from URLs at compromised, legitimate WordPress sites, where it is disguised as an image file. To compromise the WordPress pages, attackers used mass-scale password brute-force attacks carried out via automated bots. Our telemetry data shows hundreds of such URLs, all ending with the string “ssj.jpg”, hosting the malicious loader file.
The loader is signed using an invalid digital signature that claims to be issued by Comodo, as seen in Figure 5. The name in “Signer information” and the timestamp are unique for each sample.
Figure 5 – Fake digital signature used by the malicious loader
Besides this, the loader attempts to disguise itself further by posing as the legitimate system process Client Server Runtime Process (csrss.exe). It copies itself into C:\ProgramData\Windows\csrss.exe, where “Windows” is a hidden folder created by the malware, and is not normally located in ProgramData.
Figure 6 – The malware posing as a system process and using version details copied from a legitimate Windows Server 2012 R2 binary
The Shade ransomware
The final payload of this malicious campaign is crypto-ransomware dubbed Shade or Troldesh. First seen in the wild in late 2014, but frequently resurfacing since, the ransomware encrypts a wide range of file types on local drives. In the recent campaign, the ransomware appends the extension .crypted000007 to the encrypted files.
The payment instructions are presented to victims in a TXT file, in Russian and English, which is dropped to all drives on the affected computer. The wording of the ransom note is identical to that from the previously reported October 2018 campaign.
Figure 7 – The Shade ransomware ransom note from January 2019
How to stay safe
To avoid falling victim to malicious spam, always verify the authenticity of emails before opening any attachments or clicking on links. If necessary, check with the organization seemingly sending the email using contact details provided on their official website.
To avoid having your WordPress website compromised, use a strong password and two-factor authentication and make sure to regularly update WordPress itself, as well as WordPress plugins and themes.
Indicators of Compromise (IoCs)
Example hashes of the malicious ZIP attachments
ESET detection name: JS/Danger.ScriptAttachment
ESET detection name: Win32/Injector
Example hashes of the Shade ransomware
ESET detection name: Win32/Filecoder.Shade
Campaign-specific string in URLs hosting the Shade ransomware