loader gif

New Russian language malspam distributes Shade ransomware

New Russian language malspam distributes Shade ransomware
  • The malspam contains fake PDF files with links instead of a zip archive that was present in earlier campaigns.
  • Rogue JavaScript file present in the zip archive downloads the Shade ransomware into the system.

Shade ransomware which emerged in 2015, seems to be continuously evolving by employing new tricks in its campaigns. A latest malspam campaign is a good example of the ever-changing tactics of the attackers behind it.

Use of malicious PDFs

This campaign, which was discovered by security researcher Brad Duncan, featured spam emails written in the Russian language. Moreover, the attachments were PDF files with malicious links instead of a zip archive witnessed in previous Shade ransomware campaigns.

When the malspam was examined for different samples, it was found to contain a variety of subject lines as well as spoofed sending addresses and message text -- each one distinct for different victims. However, every sample mail featured a body documenting either an order or an invoice.

The malicious links in the PDF attachments download this fake invoice/order. After the download, the file is saved as pic.zip. This file would contain a rogue JavaScript (.js) file which when executed, downloads the Shade ransomware into the system.

Additionally, there is a surge in Internet traffic for the system after infection. This is due to the attacker's C&C communication with the system for further actions.

English version also likely to exist

Brad Duncan also suggests that an English version malspam is likely to be circulating just like an earlier campaign that was witnessed in 2017.

“As I stated last time, Russian language malspam pushing Shade/Troldesh ransomware is nothing new. Since I first posted a diary about it back in 2016, it's never disappeared for long. Nor is this malspam limited to the Russian language,” the researcher wrote.

loader gif