Attackers this month have revived an email phishing operation that targets Russian speakers with Shade ransomware served via malicious JavaScript attachments.
The scam first emerged in a campaign that began in mid-October of last year, before dying down over the holiday period. But January ushered in a more intense second phase that doubled the previous campaign's attack volume, reported Juraj Janosik, senior software engineer at ESET, in a company blog post on Monday.
Janosik said that 52 percent of the Shade attachments ESET detected between Jan. 1 and Jan. 24 went to Russian addresses, while the next most targeted countries were Ukraine, France, Germany and Japan.
The phishing emails feature Russian subject lines and content that attempt to trick recipients into believing they have received order updates from legitimate organizations such as Russian bank B&N Bank and the retail chain Magnit. One sample email was supposedly sent from a company manager with details from an unspecified order.
The malicious JavaScript files are found within a ZIP archive file named info.zip or inf.zip. Opening the .js file unleashes a malicious downloader identified as
Win32/Injector, which is downloaded from the URLs of legitimate WordPress sites that were previously compromised by automated bots using brute-force attacks.
"Our telemetry data shows hundreds of such URLs, all ending with the string “ssj.jpg”, hosting the malicious loader file," Janosik wrote.
The downloader subsequently decrypts and launches Shade, which is also known as Troldesh. ESET notes in its blog post that Shade has existed in the wild since late 2014, and encrypts "a wide range of file types on local drives" before presenting the victim with ransom instructions written in Russian and English.
Brad Duncan, a handler with the SANS Internet Storm Center, previously addressed this Shade operation in a SANS ISC InfoSec forum post that was published shortly after the October campaign was discovered. In the post, Duncan said that potential victims "would need to be on a vulnerable Windows host with poor security measures" in order to be infected by opening the malicious attachment.
Duncan said that upon analyzing the malware in his lab environment, he found that the host started generating Tor traffic, and then "checked its IP address and generated encrypted SMTP traffic to smtp.mail.ru."
"This reminded me of click fraud traffic," said Duncan.