Agile Botnet Shifts to New Ransomware

Tuesday, December 6, 2016 @ 03:12 PM gHale

Agility is the hallmark of any good company or product and the Kelihos botnet is dropping one ransomware for another, researchers said.

Kelihos is now spreading the Troldesh encryption ransomware via spam emails containing URLs that link to a JavaScript file and a Microsoft Word document.

SF Metro Victim of Ransomware
Ransomware Decryptor Releases
New Ransomware Versions Release
New Ransomware Hits Market

This is the first time the botnet is using JavaScript files to infect users, Arsh Arora, malware analyst and Ph.D. researcher at The University of Alabama at Birmingham, said in a blog post.

“Kelihos introduce itself to the world of ransomware by spamming links to Wildfire ransomware followed by CryptFIle2 ransomware in August,” Arora said. “Then, it shifted its focus towards different banking Trojans such as Panda Zeus, Nymain and Kronos. Now, it took a complete circle and struck back with Troldesh encryption ransomware.”

The malware encrypts users’ files and adds the .no_more_ransom extension to them.

The Troldesh distribution campaign was targeting email addresses ending with “.au” specifically, meaning that only Australian users might have received the ransomware.

At the same time, the botnet was delivering dating spam to “.pl” email addresses, was spamming “.us” users to recruit them as money mules, and was pushing pharmaceutical spam to all other geographies, Arora said.

The spam messages linking to the Troldesh ransomware featured a credit debt theme and were impersonating Bank of America.

“While doing the daily run of malware, one of my fellow researchers at UAB, Max Gannon, noticed a different behavior in the Kelihos botnet. It was sending embedded links using the Credit Debt theme. The most important fact is that some of the URLs were redirected to download a .zip file containing a JavaScript file, while other links download a Microsoft Word document,” Arora said.

Intended victims learned of an outstanding debt and were encouraged to open an attachment supposedly meant to offer exact details on their situation. Instead, the Troldesh malware downloaded onto the compromised machine.

After encrypting users’ files, the ransomware would drop a ransom note (in both in Russian and English) on the desktop. Users were instructed to contact the ransomware authors via a Gmail address to receive the necessary instructions to decrypt their files. It also instructed them to download Tor and access .onion addresses via their browsers.

Leave a Reply

You must be logged in to post a comment.