{"id":86754,"date":"2018-09-03T17:22:13","date_gmt":"2018-09-03T11:52:13","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=86754"},"modified":"2018-09-05T14:37:21","modified_gmt":"2018-09-05T09:07:21","slug":"troldeshs-one-variant-encryption-offender","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/troldeshs-one-variant-encryption-offender\/","title":{"rendered":"\u201cTroldesh’s\u201d One More Variant in the Encryption\u00a0Offender"},"content":{"rendered":"

Over the past few days, we have been observing criminals\/hackers using a new carrier to deliver the ransomware malware. Recently, Quick Heal Security Labs observed a new variant of Troldesh ransomware which encrypts the data and adds\u00a0the extension as \u201c.no_more_ransom\u201d<\/b><\/strong>. This ransomware comes under Crypto-Ransomware variant, the origin of this is said to be from Russia and from there it is spread all over the world. There are various names for this ransomware they are Troldesh, aka Encoder.858 or Shade.<\/p>\n

Infection Vector<\/b><\/strong><\/p>\n

It has been observed that this ransomware is spread basically through<\/p>\n

    \n
  1. RDP Brute-force Attack<\/li>\n
  2. Spam and phishing emails<\/li>\n
  3. Exploit Kits<\/li>\n<\/ol>\n

    In RDP Brute-force Attack, the Remote Desktop Protocol (RDP) running on port 3389\u00a0is targeted with a typical brute force attack. As a result the attacker gets hold of victim\u2019s administrative user credentials and then it executes the ransomware payload on the victim\u2019s system to infect the data.<\/p>\n

    In spam or phishing emails, users receive emails which will lead to phishing sites that will download a macro based word document\/js file or malicious payload directly. Another way is directly attaching a document inside the email or sometimes attaching a compressed file having a malicious payload file.<\/p>\n

    Payload Analysis<\/b><\/strong><\/p>\n

    When the malicious file gets executed it drops the copy of itself at the below location \u201c AppData\\Roaming\\ \u201c. Once it drops its copy it deletes the actual payload from where it has been executed and then executes the payload from Appdata location.<\/p>\n

    The actual payload contains\u00a0the below command which is used to create the self copy at Appdata location,when malicious payload is executed it launches the schtasks.exe(Schedule Tasks) with the below command which creates a task named as Encrypter :<\/p>\n

    “C:\\Windows\\System32\\schtasks.exe” \/Create \/SC MINUTE \/TN Encrypter \/TR <\/i><\/b><\/em><\/strong> C:\\Users\\user_name\\AppData\\Roaming\\info.exe<\/i><\/b><\/em><\/strong><\/p>\n

    Where,<\/p>\n

    \/SC MINUTE : Specifies the schedule type.<\/p>\n

    \/TN ENCRYPTER : Specifies a name for the task.<\/p>\n

    \/tr C:\\Users\\XXXX\\AppData\\Roaming\\info.exe : Specifies the program or command that the task runs.<\/p>\n

    \"\"Fig 1 : Process Execution<\/p>\n

    The payload has been scheduled\u00a0to run after every 1 min, it has a wait time of 1 hour and execution time limit of 72 hours.\u00a0Once the ransomware payload gets executed it then encrypts the file and adds\u00a0the extension as \u201c .no_more_ransom\u201d<\/b><\/strong>.<\/p>\n

    \"\"Fig 2: Created Task<\/p>\n

    \"\"Fig 3: Task Details<\/p>\n

    During our analysis we have also found that the malicious payload also contains the Anti-debugging identifier which detects whether the calling process is being debugged by a user-mode debugger or not. Below image represents\u00a0the example of the same,\u00a0when the payload is executed and if any debugger is in running state then it gives\u00a0the below prompt\/error message.<\/p>\n

    \"\"Fig 5: Debugger Prompt\/Error Message<\/p>\n

    Encryption Note<\/b><\/strong><\/p>\n

    \"\"<\/p>\n

    Quick Heal Detection<\/b><\/strong><\/p>\n

    Quick Heal Virus Protection successfully detects and deletes malicious payload.<\/p>\n

    \"\"Fig 6: Virus Protection<\/p>\n

    Behaviors detection module of Quick\u00a0Heal also detects the malicious payload by its behavior and successfully blocks\/quarantines\u00a0the malicious payload.<\/p>\n

    \"\"<\/p>\n

    Fig 7: Behavior Detection<\/p>\n

    Anti-ransomware feature of Quick\u00a0Heal detects\u00a0the malicious payload.<\/p>\n

    \"\"Fig 8: Anti-Ransomware Detection.<\/p>\n

    Best practices to stay safe from such malware attacks<\/b><\/strong><\/p>\n