The new attack of the Shade encoder is aimed at Russian business users.

    In January 2019, we recorded a sharp increase in the number of detections of malicious JavaScript email attachments (in 2018, this attack vector was used minimally). In the "New Year's release" you can select a distribution in Russian, intended for distribution of the Shade encoder (also known as Troldesh), which is detected by ESET products as Win32 / Filecoder.Shade.

    It appears that this attack continues the spam campaign to spread the Shade coder, discovered in October 2018 .

    New Campaign Shade

    According to our telemetry, the October campaign was at a constant pace until the second half of December 2018. This was followed by a break at Christmas, and then in mid-January 2019 the campaign’s activity doubled (see chart below). Falls on the graph, corresponding to weekends, suggest that attackers prefer corporate email addresses.

    Figure 1. Detection of malicious JavaScript attachments that have been distributing Win32 / Filecoder.Shade since October 2018.

    As mentioned earlier, the campaign illustrates the trend we have seen since the beginning of 2019 — the return of malicious JavaScript attachments as an attack vector. The dynamics are displayed on the graph below.

    Figure 2. Detection of malicious JavaScript distributed in email attachments since 2018. Attachments are detected by ESET as JS / Danger.ScriptAttachment.

    It is worth noting that the campaign for distributing the Shade encoder is most active in Russia, which accounts for 52% of the total number of malicious attachments detected by JavaScript. Other victims include Ukraine, France, Germany and Japan, as shown below.

    Figure 3. The number of malicious JavaScript attachments detected distributing Win32 / Filecoder.Shade. Data from January 1 to January 24, 2019

    According to our analysis, a typical attack of the January campaign begins with the victim receiving a letter in Russian with a ZIP file or as an attachment.

    Letters are disguised as official requests of legitimate Russian companies. We saw the newsletter on behalf of Binbank (merged with Otkritie Bank since 2019) and the Magnit retail chain. The text in the image below.

    Figure 4. A sample spam mailing used in the January campaign.

    The ZIP file contains a JavaScript file called “Info.js”. After extracting and running the file, it downloads a malicious loader detected by ESET products as Win32 / Injector. The loader decrypts and launches the final payload - the Shade encoder.

    The malicious downloader is downloaded from the URL of compromised legitimate WordPress sites, where it disguises itself as an image. To compromise WordPress pages, attackers use a massive automated brute force attack using bots. Our telemetry records hundreds of URLs that host a malicious loader, all addresses end with the ssj.jpg line.

    The loader is signed with an invalid digital signature, which is allegedly issued by Comodo. The Signer information field value and timestamp are unique for each sample.

    Figure 5. Counterfeit digital signature used by the malicious loader

    In addition, the bootloader is trying to disguise itself, posing as a legitimate system process Client Server Runtime Process (csrss.exe). It copies itself to C: \ ProgramData \ Windows \ csrss.ex, where Windows is a hidden folder created by the bootloader; usually in the ProgramData this folder is not.

    Figure 6. Malicious software that is a system process and uses version information copied from a legitimate Windows Server 2012 R2 binary file

    Shade Encoder

    The final payload is the Shade (Troldesh) encoder. It was first discovered in the wild at the end of 2014, and has since been repeatedly updated. Shade encrypts a wide range of files on local drives. In the new campaign, he adds the extension .crypted000007 to the encrypted files.

    The victim receives payment instructions in Russian and English in the TXT file stored on the infected computer. The text is the same as in the last campaign in October 2018.

    Figure 7. Shade buyout requirements, January 2019

    Compromise indicators

    Examples of hashes of malicious ZIP attachments Detection of ESET: JS / Danger.ScriptAttachment Examples of hashes of JavaScript loaders Detection of ESET: Win32 / Injector Examples of hashes of the Shade encoder Detection of ESET: Win32 / Filecoder.Shade Characteristic line in the URLs that the Shade encryptor has




    Also popular now: