- Malicious actors are leveraging compromised URLs to infect victims with Troldesh ransomware.
- The particular software is most likely to be detected by AV tools, but not always.
- The actors are using TOR for data exfiltration and communication, and two infected URLs for redundancy.
According to a report by Sucuri researchers, the Troldesh ransomware is seeing a rise in the past couple of weeks, mainly getting propagated through compromised websites. The malicious actors are sending emails and messages on social media, tricking their potential victims into visiting the infected URL. What happens when one visits this URL is the loading of a PHP file that in turn downloads a JScript file onto the victim’s computer. This second file is the host-based malware dropper that once executed, downloads the Troldesh ransomware file.
As the researchers point out, the filename of the JScript file indicates that the actors may have initially tried to spoof Ural Airlines, but the actual activity and campaign aren’t related to the brand. Another detail that was unveiled via the analysis of the JScript file is the fact that the actors are using at least two infected websites that host the malware, in case that one of them goes offline for any reason. For the storing of the Troldesh executable, the script is generating a random directory name after having acquired the important Windows OS system directories.
Finally, it is interesting that the actors are making use of the TOR network, sending the gathered data about the victim’s machine through a TOR connection to the attacker’s server. The actors are also using the .onion URL to set up an alternative means of communication for the victims through a feedback form. This looks like it has been added at a later stage, so it could be after the extortionists lost access to their email addresses following their reporting.