• Russian-language spam that carries ransomware has been detected in growing numbers recently.
  • The spam delivers the infamous ransomware called Shade, also known as Troldesh.

A recent blog by security researchers from ESET details a growing spam campaign which has emerged in recent months. This campaign distributes spam emails written in Russian and it delivers the Shade ransomware, also known as Troldesh.

This kind of spam campaign was first observed in October last year. The researchers believe that this campaign is the resurgence of JavaScript attacks.

Though the spam campaign is primarily targeting Russian speaking users, it is also affecting people from other countries such as Ukraine, France, Germany, and Japan. 52 percent of total detections of this spam included JavaScript attachment-based attacks.

JavaScript attacks are back

According to the blog post by the researchers on WeLiveSecurity, the spam contains an attachment named as either “info.zip” or “inf.zip”. This ZIP file has a JavaScript file. When run, it would download a malicious loader known as Win32/Injector following which it launches the Shade ransomware.

Now, the Shade ransomware creates ransom notes in .txt files and is dropped to every folder and drive in the infected computer.

Modus Operandi

“These malicious emails pose as order updates, seemingly coming from legitimate Russian organizations. The emails we have seen impersonate the Russian bank B&N Bank (note: recently merged with Otkritie Bank), and the retail chain Magnit,” the researchers explain.

The malicious loader concealed as an image file is downloaded from URLs of compromised WordPress sites. To acheive this, attackers use brute force attacks through automated bots to compromise legitimate Wordpress sites in order to use them as launchpads for malware distribution.

In addition to that, the loader uses a fake and invalid digital signature for every sample detected by antivirus programs. Once downloaded, the loader disguises as a system process in the affected system. The ransomware then begins its encryption process and generates ransom notes in the end.

Cyware Publisher