- The malspam contains fake PDF files with links instead of a zip archive that was present in earlier campaigns.
Shade ransomware which emerged in 2015, seems to be continuously evolving by employing new tricks in its campaigns. A latest malspam campaign is a good example of the ever-changing tactics of the attackers behind it.
Use of malicious PDFs
This campaign, which was discovered by security researcher Brad Duncan, featured spam emails written in the Russian language. Moreover, the attachments were PDF files with malicious links instead of a zip archive witnessed in previous Shade ransomware campaigns.
When the malspam was examined for different samples, it was found to contain a variety of subject lines as well as spoofed sending addresses and message text -- each one distinct for different victims. However, every sample mail featured a body documenting either an order or an invoice.
Additionally, there is a surge in Internet traffic for the system after infection. This is due to the attacker's C&C communication with the system for further actions.
English version also likely to exist
Brad Duncan also suggests that an English version malspam is likely to be circulating just like an earlier campaign that was witnessed in 2017.
“As I stated last time, Russian language malspam pushing Shade/Troldesh ransomware is nothing new. Since I first posted a diary about it back in 2016, it's never disappeared for long. Nor is this malspam limited to the Russian language,” the researcher wrote.