The Long Run of Shade Ransomware

Introduction

Between January and February, a new, intense, ransomware campaign have been observed by many security firms. It spreads Shade/Treshold variants, one of the most dangerous threats in the cyber crime scenario, known since its massive infection into the Russian panorama back in 2015, its expansion has been tracked by several CSIRTs and CERTs all across the world. As stated in a recent Eset report, the Shade infection had an increase during October 2018, keeping a constant trend until the second half of December 2018, taking a break around Christmas, and then resuming in mid-January 2019 doubled in size (shown in Figure 1).

Figure 1. Trend of malicious JavaScript downloading Shade ransomware (source: ESET).

The last attack waves was pretty interesting because the criminals tried to impersonate Russian Oil and Gas companies, in particular  the Russian’s “PAO NGK Slavneft”, probably to hit a portion of this industry segment. Cybaze-Yoroi ZLab analyzed some recent samples spreading during the last week.

Technical analysis

The chosen infection vector is the email one, usual and effective. The phishing email contains a .zip file named “slavneft.zakaz.zip”, which means something like “slavneft order” in English, showing a direct reference to “Slavneft”. It contains a russian speaking JavaScript file named “«ПАО «НГК «Славнефть» подробности заказа”, corresponding another time to “PAO NGK Slavneft order details”.

Figure 2. References to an Oil-Gas company

This file acts as downloader in the infection chain, using a series of hard-coded server addresses, It heavily rely on obfuscation and encryption to avoid the antimalware detection.

Figure 3. JavaScript decryption routine

A few round of debugging and decryption reveals its inner, cleartext code:

Figure 4. Main of the JS script.

The figure above highlights some interesting details: if the first HTTP request fails, the second one is not sent, but the variable “qF” is initialized with the other malicious URL. It runs several times the payload only if the first server could be reached.

Probably the JavaScript is under maintenance yet, so the attacker could insert other code lines next, in order to retrieve the sample from other sources.

All the resources loaded by the JavaScript downloader points to compromised websites, mostly running WordPress and Joomla CMSs. According to other firms, Treshold is able to leverage a “worm” module designed to search and brute-force the login pages of several known CMS applications, such as WordPress and Joomla; an odd coincidence.

Once it gets in the websites, it uploads a copy of the executable code: using this approach the malware keeps creating backup copies to increase its resiliency to takeovers. However, the sample delivered in the last intercepted campaign is not configured to exploit this feature.

Hashbf32e333d663fe20ab1c77d2f3f3af946fb159c51b1cd3b4b2afd6fc3e1897bb
ThreatShade ransomware
DescriptionFake image containing shade ransomware malware
Ssdeep24576:kcDD3THmsmB7K1k52fzgtv0HqIYG3yC3Q1KbeRho7KWU8RKDyAlAY:bTHmsq72zgtv0HYG37bD7KWU8UhV

Table 1: shade ransomware informations.

Despite its popularity, the Shade payload, at the analysis time, did not show high detection rates: only a third of antimalware detected it (24/69), even if the behaviour of the threat is such harassing as recognizable. Shade encrypts all the user files using an AES encryption scheme. Then, it appends’em the “.crypted000007” suffix and creates the ransom note in each system’s folder, the text is written in both English and Russian language.

Figure 5. VirusTotal view reporting the malware’s detection rate.
Figure 6. Background of the infected machine, after encryption phase.
Figure 7. Content of README.txt file.

Navigating on the specified darknet website, it is shown a page containing a form to get in touch with the attacker, specifying the code extracted from ransom note and an email:

Figure 8. Ransomware Onion website.

Analyzing other 2017’s threat reports, we noticed the address did not changed over time, different story for the email address.

Figure 9. Comparison between the ransom note of Shade 2019 (up) and Shade 2017 (down, source: SonicWall).

Shade connects to its C2 server using embedded TOR libraries and downloads additional modules, such as the aforementioned “CMSBrute” or the “ZCash miner” one. The behavioural analysis session recorded the executions of the ZCash miner, stored in the  “C:\ProgramData\SoftwareDistribution\” folder.

Figure 10. Information about miner executable.

A quick review of the launching parameters shows interesting information:

  • the type and the version of the mining client used by the attacker,  a “NHEQ Miner” developed by Nicehash;
  • the mining pool abused by the criminal;
  • and the wallet ID (t1L9iBXyRgaYrQ5JSTSdstopV6pHtZ2Xdep)

Despite this important information, it’s difficult to identify the real cashed out amount because attackers typically use mixing techniques to divert the investigations. However, the mining pool dashboard provides a clue of the current number of infected machines.

Figure 11. Flypool dashboard reporting info about attacker’s wallet.

Conclusions

The  OSINT information available places the origin of the Treshold threat in the mid of the 2017, showing the attackers didn’t change too much their modus operandi and infrastructure, the same wallet ID has been maintained over the year, propagation techniques and patterns are quite constant too.

Moreover, the huge list of compromised sites, reported in the IoC section, demonstrates once again how the usage of weak credentials is leveraged by such kind of threat actors to enable profitable, years-long malicious campaign without deep and costly changes in their TTPs.

Indicator of Comprimise

DropURL
11/02
hxxp://projectmmo[.]ru/blog/slavneft.zakaz.zip
hxxp://equiracing[.]fr/templates/rhuk_milkyway_equiracing/css/messg[.]jpg
hxxp://coptermotion[.]aero/css/messg[.]jpg
hxxp://usep75[.]fr/wp-content/themes/usep75-2011_/js/messg[.]jpg
hxxp://www.katharinen-apotheke-braunschweig[.]de/wp-content/themes/zerif-lite/css/messg[.]jpg
hxxp://www[.]coptermotion[.]aero/css/messg[.]jpg
hxxp://senital[.]co[.]uk/templates/a4joomla-ocean-free/js/messg[.]jpg
hxxp://meble-robert[.]pl/wp-content/themes/septera/cryout/css/messg[.]jpg
hxxp://grenop-invest[.]cz/bin/messg[.]jpg

13/02
hxxp://primeeast[.]net/images/slavneft.zakaz.zip
hxxp://service.baynuri[.]net/.well-known/acme-challenge/messg[.]jpg
hxxp://parrocchiadellannunziata[.]it/cache/_system/messg[.]jpg

14/02
hxxp://emlak.baynuri[.]net/wp-includes/ID3/messg[.]jpg
hxxp://aslike[.]org/templates/beez_20/css/messg[.]jpg
hxxps://sobornarada.gov[.]ua/templates/soborna/css/docx.zip
hxxps://sobornarada.gov[.]ua/templates/soborna/css/slavneft.zakaz.zip
hxxps://sobornarada.gov[.]ua/templates/soborna/css/messg[.]jpg
hxxps://nts-solution[.]net/wp-content/themes/Mobera/img/messg[.]jpg
hxxps://nts-solution[.]net/wp-content/themes/Mobera/img/slavneft.zakaz.zip
hxxp://ilan.baynuri[.]net/.well-known/acme-challenge/messg[.]jpg
hxxp://ilan.baynuri[.]net/.well-known/acme-challenge/slavneft.zakaz.zip
hxxp://rentacar.baynuri[.]net/wp-admin/css/colors/blue/messg[.]jpg
hxxp://rentacar.baynuri[.]net/wp-admin/css/colors/blue/slavneft.zakaz.zip
hxxp://deflektori[.]ru/buyme/i/slavneft.zakaz.zip
hxxp://presse.schmutzki[.]de/.well-known/acme-challenge/messg[.]jpg
hxxp://presse.schmutzki[.]de/.well-known/acme-challenge/slavneft.zakaz.zip

15/02
hxxp://lingvaworld[.]ru/media/system/css/messg[.]jpg
hxxp://3forfree[.]org/wp-content/themes/twentyseventeen/assets/css/messg[.]jpg
hxxp://firstbaptisthackensack[.]org/templates/hexa_corp/cache/messg[.]jpg
hxxp://caringsoul[.]org/includes/messg[.]jpg
hxxp://semiworldwide[.]net/templates/home/html/_mod_search/messg[.]jpg
hxxp://strewn[.]org/reductio/messg[.]jpg


hxxp://www.clermontmasons[.]org/wp-content/backwpup-c60dd-logs/messg[.]jpg
hxxp://efficientlifechurch[.]org/wp-content/plugins/backupcreator/messg[.]jpg
hxxp://www.taoday[.]net/wp-content/themes/twentyten/languages/messg[.]jpg
hxxp://master-of-bitcoin[.]net/.well-known/pki-validation/messg[.]jpg
hxxp://choinkimarkus[.]pl/wp-content/themes/unicon/framework/admin/ReduxCore/assets/css/color-picker/messg[.]jpg
hxxp://thu-san-world-challenges[.]org/wp-includes/ID3/messg[.]jpg
hxxp://na-korable[.]ru/websitemap/messg[.]jpg
hxxp://www[.]caringsoul[.]org/includes/messg[.]jpg
hxxp://stellacosmeticos[.]com/images/M_images/messg[.]jpg
hxxp://caringsoul[.]org/includes/messg[.]jpg
hxxp://semiworldwide[.]net/templates/home/html/_mod_search/messg[.]jpg
hxxp://lingvaworld[.]ru/media/system/css/messg[.]jpg
hxxp://strewn[.]org/reductio/messg[.]jpg
hxxp://firstbaptisthackensack[.]org/templates/hexa_corp/cache/messg[.]jpg
hxxp://3forfree[.]org/wp-content/themes/twentyseventeen/assets/css/messg[.]jpg
hxxp://manhtructhanhtin[.]com/wp-content/themes/flatsome/woocommerce/back-comp/cart/messg[.]jpg
hxxp://alax.nexxtech[.]fr/classes/logs/messg[.]jpg
hxxps://www.panska[.]cz/includes/messg[.]jpg
hxxp://aslike[.]org/templates/beez_20/css/messg[.]jpg
hxxps://www.hiwentis[.]de/wp-content/themes/Anthem/js/messg[.]jpg
hxxp://hiwentis[.]de/wp-content/themes/Anthem/js/messg[.]jpg
hxxp://wcf-old.sibcat[.]info/messg[.]jpg
hxxp://mobshop.schmutzki[.]de/.well-known/acme-challenge/messg[.]jpg
hxxp://p30qom[.]ir/templates/kalaresan/css/messg[.]jpg
hxxp://thorxer[.]de/templates/siteground-j15-85/images/messg[.]jpg
hxxp://northmaint.se/wp-content/themes/Divi/psd/messg[.]jpg
hxxp://mod.sibcat[.]info/messg[.]jpg
hxxp://www.blackout.pub/wp-content/themes/gutenberg/builder/templates/blog/formats/messg[.]jpg
hxxp://blackout.pub/wp-content/themes/gutenberg/builder/templates/blog/formats/messg[.]jpg
hxxp://www.medgen[.]pl/templates/medgen/less/messg[.]jpg
hxxp://medgen[.]pl/templates/medgen/less/messg[.]jpg
hxxp://www.medgen[.]pl/templates/medgen/html/com_content/article/messg[.]jpg
hxxp://medgen[.]pl/templates/medgen/html/com_content/article/messg[.]jpg
hxxp://akiko.izmsystem[.]net/wordpress/wp-admin/css/colors/blue/messg[.]jpg
hxxp://waterfordcomputers.ie/wp-content/themes/WCv15/includes/css/messg[.]jpg
hxxp://comsystem.ch/templates/orange/css/messg[.]jpg
hxxp://dreams-innovations[.]com/wp-content/themes/ecommerce-solution/inc/messg[.]jpg
hxxp://presse.schmutzki[.]de/.well-known/acme-challenge/messg[.]jpg
hxxp://klotho[.]net/wp/wp-admin/css/colors/blue/messg[.]jpg
hxxp://katharinen-apotheke-braunschweig[.]de/wp-content/themes/zerif-lite/css/messg[.]jpg
hxxp://coptermotion.aero/css/messg[.]jpg
hxxp://usep75[.]fr/wp-content/themes/usep75-2011_/js/messg[.]jpg
hxxp://lam[.]cz/templates/lam/css/messg[.]jpg
hxxp://parrocchiadellannunziata[.]it/cache/_system/messg[.]jpg
hxxp://senital[.]co.uk/templates/a4joomla-ocean-free/js/messg[.]jpg
hxxp://doktech.cba[.]pl/includes/Archive/messg[.]jpg
hxxp://www[.]coptermotion.aero/css/messg[.]jpg
hxxp://www.katharinen-apotheke-braunschweig[.]de/wp-content/themes/zerif-lite/css/messg[.]jpg
hxxp://meble-robert[.]pl/wp-content/themes/septera/cryout/css/messg[.]jpg
hxxp://grenop-invest[.]cz/bin/messg[.]jpg
hxxp://schmutzki[.]de/content/themes/schmutzki-child/img/devices/messg[.]jpg
hxxp://americanstaffordshireterrier[.]it/messg[.]jpg
hxxp://biurorachunkowe24.waw[.]pl/templates/ruralidyll/css/messg[.]jpg
hxxp://lipraco[.]cz/templates/lipraco/css/messg[.]jpg
hxxps://schmutzki[.]de/content/themes/schmutzki-child/img/devices/messg[.]jpg
hxxp://lutnikwitwicki[.]pl/templates/dd_horse_31/inc/messg[.]jpg
hxxp://rivercitylitho[.]com/templates/rt_anacron/css-compiled/messg[.]jpg
hxxp://rivercitylitho[.]com/templates/rt_anacron/custom/messg[.]jpg
hxxp://uborprofit[.]com/wp-content/themes/twentyseventeen/assets/css/messg[.]jpg
hxxp://erataqim[.]com.my/1/wp-admin/css/colors/blue/messg[.]jpg
hxxp://expert-centr[.]com/errordocs/style/messg[.]jpg
hxxp://home-spy-shop[.]com/wp-content/themes/magazine-basic/languages/messg[.]jpg
hxxp://schmutzki[.]de/content/themes/schmutzki-child/lang/messg[.]jpg
hxxp://pausin-fotografie[.]de/wp-content/themes/prophoto5/js/plugins/messg[.]jpg
hxxp://old.vide-crede[.]pl/administrator/cache/messg[.]jpg
hxxp://nkcatering[.]pl/wp-content/themes/vogue/templates/contents/messg[.]jpg
hxxp://berplamon[.]de/wp-content/themes/gridalicious/languages/messg[.]jpg
hxxp://nexxtech[.]fr/interactifs-aceto/messg[.]jpg
hxxp://asztar[.]pl/templates/theme1627/css/messg[.]jpg
hxxp://isolation.nucleus.odns[.]fr/wp-content/languages/plugins/messg[.]jpg
hxxp://brigitte-family[.]com/wp-content/languages/plugins/messg[.]jpg
hxxps://www.re-set[.]fr/wp-content/themes/theme1438/includes/images/messg[.]jpg
hxxps://www.thielepape[.]de/wp-content/themes/fizz/css/messg[.]jpg
hxxp://thielepape[.]de/wp-content/themes/fizz/css/messg[.]jpg
hxxp://immobilien-dresdner-land[.]de/wp-content/themes/fashionistas/css/messg[.]jpg
hxxp://re-set[.]fr/wp-content/themes/theme1438/includes/images/messg[.]jpg
hxxp://agence.nucleus.odns[.]fr/messg[.]jpg
hxxp://e-online[.]fr/templates/protostar/images/system/messg[.]jpg
hxxp://iventix[.]de/logs/messg[.]jpg
hxxp://nexxtech[.]fr/js/views/messg[.]jpg
hxxp://jonathantercero[.]com/wp-content/themes/sonata/admin/assets/css/messg[.]jpg
hxxp://aguimaweb[.]com/wp-content/themes/yes/languages/messg[.]jpg
hxxp://mztm[.]jp/docs/as3/as3corelib/com/adobe/air/logging/messg[.]jpg
hxxp://chuletas[.]fr/templates/ashton/css/messg[.]jpg
hxxp://mztm.sixcore[.]jp/messg[.]jpg
hxxp://mizutama[.]com/css/messg[.]jpg
hxxp://chuletas[.]fr/templates/ashton/html/com_contact/categories/messg[.]jpg
hxxp://quarenta[.]eu/wp-content/languages/loco/plugins/messg[.]jpg
hxxp://www.ijweaver[.]com/wp-content/themes/f2/images/color-schemes/messg[.]jpg
hxxp://brewmethods[.]com/vendor/composer/messg[.]jpg
hxxp://quarenta[.]eu/wp-includes/certificates/messg[.]jpg
hxxp://hopperfinishes[.]com/wp-content/themes/Centum/backend/css/messg[.]jpg
hxxp://www.nexxtech[.]fr/interactifs-aceto/messg[.]jpg
hxxp://therollingshop[.]com/wp-content/themes/therollingshop_v2/css.old/messg[.]jpg
hxxp://nexxtech[.]fr/css/fonts/font-awesome/css/messg[.]jpg
hxxp://www.nexxtech[.]fr/css/fonts/font-awesome/css/messg[.]jpg
hxxp://www.therollingshop[.]com/wp-content/themes/therollingshop_v2/css.old/messg[.]jpg
hxxp://lutnikwitwicki[.]pl/templates/dd_horse_31/language/en-GB/messg[.]jpg
hxxp://balkaniks[.]de/wp-content/ai1wm-backups/messg[.]jpg
hxxp://happysungroup[.]de/wp-includes/ID3/messg[.]jpg
hxxp://www.nexxtech[.]fr/js/views/messg[.]jpg
hxxp://www.immobilien-dresdner-land[.]de/wp-content/themes/fashionistas/css/messg[.]jpg
hxxp://co2services[.]be/templates/widescreen01/css/messg[.]jpg
hxxp://barbarapaliga[.]pl/cgi-bin/messg[.]jpg
hxxp://bobathsi[.]pl/cgi-bin/messg[.]jpg
hxxp://transforma[.]de/wp-content/themes/transforma/_/css/messg[.]jpg
hxxp://osiedle-polna[.]pl/cgi-bin/messg[.]jpg
hxxp://tb.ostroleka[.]pl/templates/siteground12/css/messg[.]jpg
hxxp://app-1536185165.000webhostapp[.]com/wp-content/themes/shapely/languages/messg[.]jpg
hxxp://lbermudez.000webhostapp[.]com/wp-content/themes/shapely/layouts/messg[.]jpg
hxxp://comments.hmmagic[.]com/.well-known/acme-challenge/messg[.]jpg
hxxp://lg4square[.]com/wp-content/themes/churchope/images/messg[.]jpg
hxxp://rosarioalcadaaraujo[.]com/wp-content/languages/loco/themes/messg[.]jpg
hxxp://somelie[.]jp/wp-content/themes/thematic/thematicsamplechildtheme/messg[.]jpg
hxxp://klotho[.]net/web_fonts/messg[.]jpg
hxxp://xavietime[.]com/wp-content/themes/seowp/inc/beacon-helper/messg[.]jpg
hxxp://www.klotho[.]net/wp/wp-admin/css/colors/blue/messg[.]jpg
hxxp://clubs.hmmagic[.]com/.well-known/acme-challenge/messg[.]jpg
hxxp://somelie[.]jp/wp-content/themes/thematic/library/extensions/messg[.]jpg
hxxp://tunisiagulf[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://aceponline[.]org[.]ng/wp-content/themes/twentyseventeen/template-parts/footer/messg[.]jpg
hxxp://tewsusa[.]co/wp-content/themes/Divi/et-pagebuilder/messg[.]jpg
hxxp://nagoyan.fun/wp-content/themes/jin/_notes/messg[.]jpg
hxxp://kiathongind[.]com.my/wp-content/themes/WCM010013/js/megnor/admin/jscolor/messg[.]jpg
hxxp://www.ri-photo[.]com/wp-content/themes/asteria-lite/css/messg[.]jpg
hxxp://atjtourjogja[.]com/wp-includes/ID3/messg[.]jpg
hxxp://firstdobrasil[.]com.br/templates/rhuk_milkyway/html/messg[.]jpg
hxxp://weblogos[.]org/wp-content/ai1wm-backups/messg[.]jpg
hxxp://helpingpawsrescueinc[.]org/wp-content/gallery/rwerwefrew/thumbs/messg[.]jpg
hxxp://insight-analytica-amir.000webhostapp[.]com/wp-content/themes/shapely/layouts/messg[.]jpg
hxxps://orangeconsultingin.000webhostapp[.]com/wp-content/themes/zerif-lite/images/messg[.]jpg
hxxp://zmastaa[.]com/wp-content/themes/hueman/page-templates/messg[.]jpg
hxxp://thegiddystitcher[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxps://www.anneliesje[.]nl/spul/messg[.]jpg
hxxp://www.zmastaa[.]com/wp-content/themes/hueman/page-templates/messg[.]jpg
hxxp://www.theboltchick[.]com/wp-content/themes/online-marketer/bonus/messg[.]jpg
hxxps://www.lakematheson[.]com/wp-content/themes/lakematheson/fonts/specimen_files/messg[.]jpg
hxxp://maxwatermit2[.]com/templates/phoca_t/fonts/messg[.]jpg
hxxp://hobbysalon-tf[.]com/img_content/_notes/messg[.]jpg
hxxp://codebyshellbot[.]com/ravelry/hp-australia/messg[.]jpg
hxxp://365poker.000webhostapp[.]com/wp-content/themes/shapely/woocommerce/messg[.]jpg
hxxps://aafiyaat[.]com/wp-content/themes/oceanwp/templates/messg[.]jpg
hxxp://www.qlknowledge[.]com/messg[.]jpg
hxxp://staroil[.]info/app/staroil/messg[.]jpg
hxxp://www.lightbox[.]de/wp-content/themes/Extra/scripts/ext/messg[.]jpg
hxxp://withyou2408[.]com/wp/wp-admin/css/colors/blue/messg[.]jpg
hxxp://bishokukoubou[.]com/test/images/_notes/messg[.]jpg
hxxp://myspaceplanner[.]fr/wp-content/themes/msp/js/messg[.]jpg
hxxp://u-kagawa[.]info/wp/wp-admin/css/colors/blue/messg[.]jpg
hxxp://xindetrading.000webhostapp[.]com/wp-content/themes/shapely/template-parts/layouts/messg[.]jpg
hxxp://www.lawaaike[.]nl/wordpress/wp-admin/css/colors/blue/messg[.]jpg
hxxp://kensei-kogyo[.]com/wpmain/wp-admin/css/colors/blue/messg[.]jpg
hxxp://bit-com[.]info/bana/_notes/messg[.]jpg
hxxp://rupinasu410[.]com/messg[.]jpg
hxxps://autolikely[.]com/wp-content/themes/Divi/lang/messg[.]jpg
hxxp://www.dixo.se/templates/siteground-j15-34/images/messg[.]jpg
hxxp://orhangencebay.gen.tr/templates/rhuk_milkyway/css/messg[.]jpg
hxxp://caraccessonriesr9[.]com/aewiklm/messg[.]jpg
hxxp://nienkevanhijum[.]nl/wp-content/themes/elastico/includes/postformats/single/messg[.]jpg
hxxps://berkje[.]com/wp-content/themes/berkje/slider/messg[.]jpg
hxxps://www.evansindustries[.]com/wp-content/themes/Sterling/css/messg[.]jpg
hxxps://leeth[.]org/wp-content/themes/satu/assets/css/messg[.]jpg
hxxp://thu-san-world-challenges[.]org/wp-admin/css/colors/blue/messg[.]jpg
hxxps://fayanscimustafa[.]com/wp-content/themes/bridge/plugins/messg[.]jpg
hxxps://aialogisticsltd[.]com/wp-content/themes/erzen/css/messg[.]jpg
hxxp://webonlineshop[.]ml/image/messg[.]jpg
hxxp://lg4square[.]com/wp-content/themes/churchope/css/messg[.]jpg
hxxp://bar-tenderly[.]com/wp/wp-admin/css/colors/blue/messg[.]jpg
hxxp://ia-planet[.]com/wp-content/themes/Divi/core/admin/css/messg[.]jpg
hxxp://xindetrading.000webhostapp[.]com/wp-content/themes/shapely/woocommerce/messg[.]jpg
hxxp://rosetki.sibcat[.]info/images/banners/messg[.]jpg
hxxp://montolla.tk/templates/bymontolla/js/messg[.]jpg
hxxps://videodiburama[.]com/wp-content/themes/elegantica/copias/messg[.]jpg
hxxp://caferaclete.pt/wp-admin/css/colors/blue/messg[.]jpg
hxxp://raymieszoo[.]com/wp-includes/ID3/messg[.]jpg
hxxp://www.pickledbrain[.]com/wp-content/themes/twentyten/images/headers/messg[.]jpg
hxxp://29061.dcpserver[.]de/cgi-bin/messg[.]jpg
hxxp://changematterscounselling[.]com/templates/changematterscounsellingv2/images/system/messg[.]jpg
hxxp://eviescoolstuff[.]com/wp-includes/ID3/messg[.]jpg
hxxp://www.jillharness[.]com/.logs/messg[.]jpg
hxxp://ankarabeads[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://lokersmkbwi[.]com/wp-content/themes/appointment/css/font-awesome/css/messg[.]jpg
hxxp://ingridandryan[.]com/export/screens/messg[.]jpg
hxxp://sunrise-sprit-enkazu[.]com/wp/wp-admin/css/colors/blue/messg[.]jpg
hxxp://planetpainter[.]ca/images/messg[.]jpg
hxxp://clareplueckhahn[.]com.au/backup/messg[.]jpg
hxxp://www.ventecservice.no/wp-content/themes/Divi/core/admin/css/messg[.]jpg
hxxps://kwebfun[.]com/wp-content/themes/tm-finance/languages/messg[.]jpg
hxxp://alongthelines[.]com/includes/messg[.]jpg
hxxps://www.insperide[.]nl/wp-admin/css/colors/blue/messg[.]jpg
hxxp://www.sale-petit-bonhomme[.]com/wp-content/themes/twentythirteen/languages/messg[.]jpg
hxxp://www[.]careersatltd[.]com/wp-content/themes/careersat/library/css/messg[.]jpg
hxxp://creativeapparel[.]co.uk/templates/themza_j15_69/js/messg[.]jpg
hxxp://rheniumsolutions[.]co.ke/wp-content/themes/oceanwp/inc/customizer/assets/css/messg[.]jpg
hxxp://morsengthaithai[.]com/cache/_virtuemart/messg[.]jpg
hxxp://djisyam38[.]com/wp-content/themes/total/css/fonts/messg[.]jpg
hxxp://irapak[.]com/wp-content/themes/twentyseventeen/inc/messg[.]jpg
hxxps://musojoe[.]com/wp-content/themes/Divi/css/tinymce-skin/fonts/messg[.]jpg
hxxp://kvintek[.]com/messg[.]jpg
hxxps://taking-technician.000webhostapp[.]com/wp-content/themes/shapely/languages/messg[.]jpg
hxxp://cozynetworks[.]com/templates/innovativelab/src/messg[.]jpg
hxxp://danieljenkins2000.000webhostapp[.]com/wp-content/themes/shapely/layouts/messg[.]jpg
hxxp://super-industries[.]co/wp-includes/ID3/messg[.]jpg
hxxp://supersnacks.rocks/OLD/wp-admin/css/colors/blue/messg[.]jpg
hxxp://jupajubbeauty[.]com/administrator/cache/messg[.]jpg
hxxp://bookle.se/cgi-bin/messg[.]jpg
hxxp://wallpapershd[.]xyz/messg[.]jpg
hxxps://www.shatki[.]info/templates/ld_benew/images/blue/messg[.]jpg
hxxp://rbgrouptech.000webhostapp[.]com/wp-content/themes/shapely/woocommerce/messg[.]jpg
hxxps://psychoactive-mentio.000webhostapp[.]com/wp-content/themes/envo-business/lib/customizer/css/messg[.]jpg
hxxp://mail.optiua[.]com/messg[.]jpg
hxxp://stringletter[.]com/wp-content/themes/oneengine/fonts/messg[.]jpg
hxxp://paewaterfilter[.]com/administrator/cache/messg[.]jpg
hxxp://skincareshopbeauty[.]com/administrator/cache/messg[.]jpg
hxxps://otterloo[.]nl/wp-content/themes/twentyten/images/headers/messg[.]jpg
hxxp://bojacobsen[.]dk/blogs/media/messg[.]jpg
hxxp://maxdvr.000webhostapp[.]com/wp-content/themes/twentyseventeen/inc/messg[.]jpg
hxxp://bundartree.000webhostapp[.]com/wp-content/themes/twentyseventeen/template-parts/footer/messg[.]jpg
hxxps://refurbished.my/vqmodx/install/messg[.]jpg
hxxp://www.basicpartner.no/wp-admin/css/colors/blue/messg[.]jpg
hxxps://wamambotrading[.]com/wp-content/themes/revo/fonts/messg[.]jpg
hxxps://demosthene[.]org/wp-content/themes/Avada/assets/admin/css/messg[.]jpg
hxxp://instaforexmas[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://clarte-thailand[.]com/administrator/cache/messg[.]jpg
hxxp://www.byce[.]nl/wp-content/backups/messg[.]jpg
hxxp://tanecni[.]org/templates/jt005_j25/css/messg[.]jpg
hxxps://spleenjanitors[.]com[.]ng/wp-content/themes/astra/assets/css/minified/compatibility/woocommerce/messg[.]jpg
hxxps://azraglobalnetwork[.]com.my/admin/controller/catalog/messg[.]jpg
hxxp://landing-page1169.000webhostapp[.]com/wp-content/themes/shapely/languages/messg[.]jpg
hxxp://hi-shop[.]ml/sxdcfvgybhunjm/admin/controller/catalog/messg[.]jpg
hxxp://blessedstudiodigital.000webhostapp[.]com/wp-content/themes/shapely/layouts/messg[.]jpg
hxxps://www.pakmedcon[.]com/wp-content/themes/twentyseventeen/assets/css/messg[.]jpg
hxxp://nienkevanhijum[.]nl/wp-content/themes/elastico/js/messg[.]jpg
hxxp://muratto.site/.well-known/pki-validation/messg[.]jpg
hxxps://www.fibeex[.]com/wp-content/themes/businext/components/headers/messg[.]jpg
hxxps://alexis.monville[.]com/htdocs/wp-admin/css/colors/blue/messg[.]jpg
hxxp://indigo-daisy.000webhostapp[.]com/wp-content/themes/twentyseventeen/template-parts/footer/messg[.]jpg
hxxp://stringletter[.]com/wp-content/themes/oneengine/plugins/admin-core/assets/css/vendor/elusive-icons/font/messg[.]jpg
hxxp://latinbeat[.]com/wp-content/themes/streamline_30/images/psds/messg[.]jpg
hxxp://nn-webdesign[.]be/templates/rt_terrantribune_j15/js/messg[.]jpg
hxxp://250land.000webhostapp[.]com/wp-content/themes/shapely/template-parts/layouts/messg[.]jpg
hxxp://mock.fpdev[.]xyz/ee/assets/css/messg[.]jpg
hxxp://tekanova[.]com/templates/templategeo_26/css/messg[.]jpg
hxxp://speak-and-translate[.]com/errordocs/style/messg[.]jpg
hxxps://digituote.fi/wp-content/themes/masonic/css/admin/messg[.]jpg
hxxp://market.optiua[.]com/catalog/controller/account/messg[.]jpg
hxxps://peinture-marseille[.]com/wp-includes/IXR/messg[.]jpg
hxxp://stradious[.]com/wp-includes/ID3/messg[.]jpg
hxxp://hi-shop[.]ml/sxdcfvgybhunjm5/admin/controller/catalog/messg[.]jpg
hxxp://d-fannet[.]com/doc_image/messg[.]jpg
hxxp://duttonandsherman[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://kerusiinovasi[.]com/wp-includes/ID3/messg[.]jpg
hxxps://iphonedelivery[.]com/system/config/messg[.]jpg
hxxp://bienhieutrongnha[.]com/forum/cache/messg[.]jpg
hxxps://alfaqihuddin[.]com/forum/cache/messg[.]jpg
hxxps://madrascrackers[.]com/wp-content/themes/tyche/woocommerce/global/messg[.]jpg
hxxp://posadaelnogal.000webhostapp[.]com/wp-content/themes/shapely/template-parts/layouts/messg[.]jpg
hxxp://www.qlcalendar[.]com/messg[.]jpg
hxxp://good-deal[.]ml/image/cache/catalog/404/messg[.]jpg
hxxp://tree.sibcat[.]info/images/full/messg[.]jpg
hxxp://joinjohndoeit.000webhostapp[.]com/wp-content/themes/shapely/inc/custom-controls/messg[.]jpg
hxxp://tontonfilms[.]com/wp-content/themes/garnish/admin/css/messg[.]jpg
hxxps://motelfortpierce[.]com/wp-content/themes/Divi/et-pagebuilder/messg[.]jpg
hxxps://the-bombay-summit.000webhostapp[.]com/wp-content/themes/llorix-one-lite/css/messg[.]jpg
hxxp://robjunior[.]com/wp-content/themes/rob/projects/messg[.]jpg
hxxp://sacredheartwinnetka[.]com/wp-content/themes/Aggregate/sampledata/sample_images/messg[.]jpg
hxxp://dev[.]europeanexperts[.]com/wp-content/cache/minify/messg[.]jpg
hxxp://dev01[.]europeanexperts[.]com/.well-known/pki-validation/messg[.]jpg
hxxp://hanuram[.]net/messg[.]jpg
hxxp://dawgpoundinc[.]com/templates/yoo_level/html/com_contact/category/messg[.]jpg
hxxps://myboysand.me/wp-content/ai1wm-backups/messg[.]jpg
hxxp://www.scotts-grotto[.]org/packages/asmiller_gallery/blocks/asmiller_gallery/templates/default/messg[.]jpg
hxxps://kasutwakai[.]com/admin/controller/catalog/messg[.]jpg
hxxps://the-bombay-summit.000webhostapp[.]com/wp-content/themes/llorix-one-lite/fonts/messg[.]jpg
hxxp://stonescrossing[.]com/wp-content/themes/stones-crossing/assets/css/messg[.]jpg
hxxps://kokoon[.]co.uk/wp-content/themes/kokoon/css/fonts/bebasneue/messg[.]jpg
hxxp://hugomaia[.]com/templates/agitato/images/messg[.]jpg
hxxp://3dpers[.]com/messg[.]jpg
hxxp://fupu[.]org/converter/messg[.]jpg
hxxp://mentoringjagojualan[.]com/site/cache/messg[.]jpg
hxxps://srikrungdd[.]com/wp-content/themes/buuEasyShop/languages/messg[.]jpg
hxxps://kobac-yokohama01[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxps://ericotv[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxps://kobac-suzuka[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://citylawab[.]com/wp-content/themes/envo-business/lib/customizer/css/messg[.]jpg
hxxps://anket.kalthefest[.]org/messg[.]jpg
hxxps://chancesaffiliates[.]com/wp-content/themes/Impreza/config/messg[.]jpg
hxxps://smile-kobac[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://ecchionline[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://ikuhentai[.]net/cgi-bin/messg[.]jpg
hxxp://vps200999.vps.ovh[.]ca/messg[.]jpg
hxxps://bits-kenya[.]com/wp-content/themes/twentyseventeen/template-parts/footer/messg[.]jpg
hxxps://kobac-hita[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://bakita.life/wp-admin/css/colors/blue/messg[.]jpg
hxxps://enjoy-kobac[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxps://drjoshihospital[.]com/wp-content/themes/i-excel/inc/css/messg[.]jpg
hxxp://morganbits[.]com/.well-known/acme-challenge/messg[.]jpg
hxxp://muapromotion[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://rarejewelry[.]net/.well-known/acme-challenge/messg[.]jpg
hxxp://blockchainhowtouse[.]com/wp-content/themes/ashe/languages/messg[.]jpg
hxxp://kobac-namerikawa01[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://yurayura.life/wp-admin/css/colors/blue/messg[.]jpg
hxxp://acm.ee/wp-content/themes/acm/fonts/Nexa_Bold/fonts/messg[.]jpg
hxxp://rocksolidstickers[.]com/wp-includes/ID3/messg[.]jpg
hxxp://kobac-takayama[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://manoulaland[.]com/wp-content/themes/sydney/plugins/messg[.]jpg
hxxp://ghetto-royale[.]com/wp-content/themes/astra/languages/messg[.]jpg


Hashes
11/02
231cd1b166a79d458de0a200fd8f5acdc36e612df4c76f3945570f767154f968 (.zip)
e0c588622525e816be4f308d8543eac50e5aeed1562a9cd0e6d97c7d8af4a5b1 (.js)
d7b9facf6a9d331a8a15b27d10148da869b094807dd6550aa87f7e45dc88b9f9 (.exe)

13/02
32007b1893001dc8cd8e2da7450334bb3b25d4abfa935f4bcf3246236f396d11 (.zip)
8bebd1b8d74da26dfd38d0a23545d555a5cc1e1d5af23efbc768ce9d28dae4f4 (.js)
bf32e333d663fe20ab1c77d2f3f3af946fb159c51b1cd3b4b2afd6fc3e1897bb (.exe)

14/02
1c06b518a94ad6db106d7d31626f2a7c80bd03f0dcd6d0bc450ffac1750cdf79 (.exe)

15/02
da1ee26f049d12590348e854be6cd9fab099a0742956ba1a44f639f24a2bee72 (.exe)

OTHER 
404ae50b0e1bce4b8421cc654b54591fcc84edd600c76e1a2dda1e0653a6cfe9
c9d9a1cfd64026e12cd211228bcb1476e5da60cfcf1af9498e9c058efa7b7e0e
97f002b5bad5077e8a8e08acf73c4815d4cbaac17979e5595f5785aeede8508a
b836f6973a97e0ad8bd02e32f63bab39f6cbed38db932dbd4a12937f7194fbb4
a8c452946e291216b7bba41b8e7f9a3eb5ee9178c9559e4b5017ed832d90b94f
ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab
fa54c4e34732b611921820be56dd690a4de98285828e4be487b904679a855a92
b5b5819045a5a0a18208e3f5fac3b7b7e0733fb958001c1dfb3413e2a9b86650
ecbe8ab4a1d08eac6a0cab99ace3e0eb6a37a9834e2996c208cdf91b351ff022
c9de2c3c7f3b14de2877154ad63fb2a10fdad23ed1e56b02d1960dda0f8d9ac3
dfaa49c45c94ed1e0f333bf36aba29b525ceaa7ccb8be1928a16c579e2de4706
2d2d96c90922dd755b9302dac058083a26c5ea7ff83e4cc60e4632ec7ff6d509
6072ef4d17f6bdc3bc0a659bcdac8a17dcd857e973babffc67f5af417d539919



Email
pilotpilot088 @ gmail.com

URL
hxxp:// cryptsen7fo43rr6[.onion/
hxxp:// cryptsen7fo43rr6[.onion.to/
hxxp:// cryptsen7fo43rr6[.onion.cab/

Yara Rule

import "pe"
rule Shade_Ransomware_18_02_2019{

	meta:
  	description = "Yara Rule for Shade_Ransomware"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_02_18"
  	tlp = "white"
  	category = "informational"

	strings:
    	$a = "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
    	$b = {55 8B EC 81 EC E0 04 00 00 C7 45 F0 02 00 00 00 C6 85 B6 FE}
   	$c = {58 00 00 0F 85 2C FF FF FF EB 00 6A 03 6A}
   	$d = {58 00 ?C 5? 58 00 ?0 5? 58 00 ?4 5? 58 00 ?8}

	condition:
    	pe.number_of_sections == 3 and pe.machine == pe.MACHINE_I386 and all of them
}

This blog post was authored by Antonio Farina, Davide Testa and Luca Mella of Cybaze-Yoroi Z-LAB