From the beginning of today to the present, JSOC CERT experts have been detecting a massive malicious mailing of the Troldesh encryption virus. Its functionality is wider than that of a simple encryptor: in addition to the encryption module, it has the ability to remotely control a workstation and reload additional modules. In March of this year, we
The mailing is conducted from different addresses and contains in the body of the letter a link to compromised web resources with WordPress components. The link contains an archive containing a Javascript script. As a result of its execution, the Troldesh encryptor is downloaded and launched.
Malicious emails are not detected by most security tools because they contain a link to a legitimate web resource, but the encryptor itself is currently detected by most antivirus software vendors. Note: since the malware communicates with C&C servers located in the Tor network, it is potentially possible to download additional external load modules to the infected machine that can βenrichβ it.
Common features of this distribution include:
(1) an example of the mailing subject - "About the order"
(2) all links have an external similarity - they contain the keywords /wp-content/ and /doc/, for example:
Horsesmouth[.]org/wp-content/themes/InspiredBits/images/dummy/doc/doc/
chestnutplacejp[.]com/wp-content/ai1wm-backups/doc/
(3) the malware accesses via Tor with various control servers
(4) Filename is created: C:ProgramDataWindowscsrss.exe, registered in the registry in the SOFTWAREMicrosoftWindowsCurrentVersionRun branch (the parameter name is Client Server Runtime Subsystem).
We recommend that you make sure that your anti-virus software databases are up to date, consider informing employees about this threat, and, if possible, tighten control over incoming emails with the above symptoms.
Source: habr.com