New Troldesh ransomware targets victims via compromised website URLs

In News

Cybersecurity researchers from Sucuri have discovered that a new variant of the Troldesh ransomware has become more rampant in the past couple of weeks and is spreading via compromised websites. The threat actors involved in spreading the malware trick victims into visiting malicious URLs by sending emails and messages on social media platforms.

According to researchers, when someone clicks on the malicious URL, it completes loading the PHP file which in turn downloads a JavaScript file to the victims’ computer. This JavaScript file then acts as a host-based malware dropper and downloads the actual ransomware file by infecting the victim’s computer.

Researchers also added that attackers used at least two malicious URLs from compromised websites considering the case if one of them stops working, then the other should continue to perform the intended actions.

The malware is found to target Windows OS, as it uses the JavaScript format files. The Troldesh malware executable files get stored carefully in the victims’ computer. Firstly, the malware executable script scans and acquires the important Windows OS system directories. Then the malware script generates a random directory to store the malicious executable files on the victims’ computer.

The report from the researchers pointed out that the Troldesh ransomware has a limited possibility of staying hidden inside the Windows file system. According to the report, the malicious JavaScript file that acts as the host has a 57% detection rate with antivirus software. Additionally, the actual ransomware file downloaded to the victims’ computer has a detection rate of 82%.

If the antivirus program installed on the victims’ computer does not detect the malicious host file or the ransomware executable file, then the ransomware starts encrypting files from the victims’ computer using a notable method.

Interestingly, the threat actor is also using a .onion URL to set up an alternative means of communication if the email address for communication does not work. However, researchers stated that this feature was added in the latest variant of the Troldesh ransomware.

Comments

You may also read!

Ben Carr appointed as the CISO for Qualys

Qualys today announced the appointment of Ben Carr as Chief Information Security Officer (CISO). Ben is responsible for providing

Read More...

Ensuring data security crucial while embarking on digital transformation journey

Claude Schuck, Regional Manager, Middle East at Veeam, provides deep insights into the challenges that arise out of digital

Read More...

SANS Institute announces the availability of CyberStart Game

SANS Institute has announced the availability of CyberStart Game for students and young adults across the Middle East and

Read More...

Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu