The newer variant initially downloads a JavaScript host file, which when executed, downloads the actual ransomware file.
The threat actors use TOR for data transmission and communication with victims, and two malicious URLs for ransomware file delivery.
A new variant of the Troldesh ransomware is observing a rise in the past couple of weeks and spreading via compromised websites. The threat actors involved in spreading the malware trick victims into visiting malicious URLs by sending emails and messages on social media platforms.
How is the malware delivered?
According to security researchers from Sucuri, when someone clicks on the malicious URL, it completes loading the PHP file which in turn downloads a JavaScript file to the victims’ computer. This JavaScript file acts as a host-based malware dropper and prepares the process to download the actual ransomware file by infecting the victim’s computer.
Researchers also added that threat actors used at least two malicious URLs from compromised websites considering the case if one of them stops working, then the other should continue to perform the intended actions.
How do the threat actors trick victims?
After examining the JavaScript host file, researchers pointed out that the filename used by the JavaScript hist file was in the Russian language and translates to “Details of the order of JSC Airline Ural Airlines”. This clearly shows that the threat actors may have initially tried to spoof Ural Airlines customers, before spreading out to larger masses. However, the researchers added that malware activity and campaign do not have any relations with the Airline brand.
Which OS does the malware target?
The malware is found to target Windows OS, as it uses the ..
Support the originator by clicking the read the rest link below.
