Win32/Injector, which is downloaded from the URLs of legitimate WordPress sites that were previously compromised by automated bots using brute-force attacks.
"Our telemetry data shows hundreds of such URLs, all ending with the string “ssj.jpg”, hosting the malicious loader file," Janosik wrote.The downloader subsequently decrypts and launches Shade, which is also known as Troldesh. ESET notes in its blog post that Shade has existed in the wild since late 2014, and encrypts "a wide range of file types on local drives" before presenting the victim with ransom instructions written in Russian and English.Brad Duncan, a handler with the SANS Internet Storm Center, previously addressed this Shade operation in a SANS ISC InfoSec forum post that was published shortly after the October campaign was discovered. In the post, Duncan said that potential victims "would need to be on a vulnerable Windows host with poor security measures" in order to be infected by opening the malicious attachment.Duncan said that upon analyzing the malware in his lab environment, he found that the host started generating Tor traffic, and then "checked its IP address and generated encrypted SMTP traffic to smtp.mail.ru.""This reminded me of click fraud traffic," said Duncan.