Saturday, December 14, 2024
HomeComputer SecurityTroldesh Ransomware Spreading Via Weaponized Word Document and RDP Brute-force Attack

Troldesh Ransomware Spreading Via Weaponized Word Document and RDP Brute-force Attack

Published on

SIEM as a Service

Troldesh Ransomware emerges again and spreads all over the world. The crypto-ransomware variant was created in Russia, the previous variant of the ransomware encrypts the files and appends “.xtbl” extension whereas the new variant adds “.no_more_ransom” extension.

Quick heal labs observed the ransomware is distributed by threat actors through RDP Brute-force Attack, Spam and phishing emails and Exploit Kits.

Threat actors targeting the RDP default port 3389 and launches a Brute-force Attack to obtain login credentials, if the attacker’s gains control over the system they directly execute the payload on the victims.

- Advertisement - SIEM as a Service

Another method is through spam or phishing emails that download the macro embedded word document or the payload itself directly.

Troldesh Ransomware Infection Process

Once the malicious payload file executed it copies itself to the location “ AppData\Roaming\ “ and deletes the downloaded file and executes the copy of the payload from the AppData location.

The payload executes and launch a scheduled task and creates a task in name Encrypter and it has been scheduled to run every 1 minute, with a wait time of 1 hour and execution limit time limit of 72 hours.

“C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /TN Encrypter /TR
C:\Users\user_name\AppData\Roaming\info.exe

Quick Heal also spotted that the malicious payload also contains an Anti-debugging identifier to check that it is running under the control of a debugger.

Once the malicious payload gets executed it encrypts the file present in the system and appends “.no_more_ransom” extension and shows the following ransom note.

Troldesh Ransomware

In the second quarter of 2018 and the ransomware returns back with new versions of  GandCrabSigma, and GlobeImposter campaigns.

Cyber threats such as ransomware main task are to infect your computer and lock your files and Demand the ransom amount. Scan all your emails for malicious links, content, attachment and Segregate the physical and logical network to minimize the infection vector.

Also Read

Organization Cyber Disaster Recovery Plan Checklist

Best Way to Accelerate and Secure Your Website From Top Common Web Threats

Simple and Best Ways to Protect Your Windows Computer From Cyber Attack

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...

FBI Seizes Rydox Marketplace, Arrests Key Administrators

The Federal Bureau of Investigation (FBI) announced the seizure of Rydox, an illicit online...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

Mauri Ransomware Leverages Apache ActiveMQ Vulnerability to Deploy CoinMiners

The Apache ActiveMQ server is vulnerable to remote code execution (CVE-2023-46604), where attackers can...

Black Basta Ransomware Leverages Microsoft Teams To Deliver Malicious Payloads

In a resurgence since May 2024, the Black Basta ransomware campaign has exhibited a...