{"id":31827,"date":"2019-08-21T03:55:00","date_gmt":"2019-08-21T07:55:00","guid":{"rendered":"http:\/\/blog.cybercon1.com\/?p=31827"},"modified":"2019-08-21T03:55:00","modified_gmt":"2019-08-21T07:55:00","slug":"troldesh-ransomware-dropper","status":"publish","type":"post","link":"https:\/\/blog.cyberconservices.com\/index.php\/2019\/08\/21\/troldesh-ransomware-dropper\/","title":{"rendered":"Troldesh Ransomware Dropper"},"content":{"rendered":"\n<p>By <a href=\"https:\/\/securityboulevard.com\/author\/luke-leal\/\">Luke Leal\u00a0<\/a>&#8211; Over the past few weeks, we\u2019ve seen an increase in Troldesh <strong>ransomware <\/strong>using compromised websites as intermediary malware distributors.<\/p>\n\n\n\n<p>The malware often uses a PHP file that acts as a delivery tool for downloading the host\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Dropper_(malware)\">malware dropper<\/a>:   This type of infected URL is usually spread through malicious emails or through services like social media. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/www.cyberconservices.com\/wp-content\/uploads\/2019\/08\/ransomware-windows-file-system.png\" alt=\"\" class=\"wp-image-31828\"\/><\/figure>\n\n\n\n<p>Once a victim clicks the URL and loads it, a&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/JScript\">JScript<\/a>&nbsp;file downloads to the victim\u2019s computer. This malware targets Windows OS, which uses JScript: .\/<em>\u041f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0441\u0442\u0438 \u0437\u0430\u043a\u0430\u0437\u0430 \u041e\u0410\u041e \u0410\u0432\u0438\u0430\u043a\u043e\u043c\u043f\u0430\u043d\u0438\u044f \u0423\u0440\u0430\u043b\u044c\u0441\u043a\u0438\u0435 \u0430\u0432\u0438\u0430\u043b\u0438\u043d\u0438\u0438.js<\/em><\/p>\n\n\n\n<p>The JScript filename is written in Russian and translates to \u201cDetails of the order of JSC Airline Ural Airlines\u201d, indicating that attackers may have been attempting to spoof this airline company to trick victims.  <a href=\"https:\/\/www.google.com\/url?rct=j&amp;sa=t&amp;url=https:\/\/securityboulevard.com\/2019\/08\/troldesh-ransomware-dropper\/&amp;ct=ga&amp;cd=CAEYDCoTOTQ5MTc3MTg0NTM5NDcwMDQwMzIaZjk1ZDdkNTc3NTkyZGUyMTpjb206ZW46VVM&amp;usg=AFQjCNGWXzVIH1Ou-NoJ_bd8s3ZuGvNb5A\">Read On:<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>By Luke Leal\u00a0&#8211; Over the past few weeks, we\u2019ve seen an increase in Troldesh ransomware using compromised websites as intermediary malware distributors. The malware often uses a PHP file that acts as a delivery tool for downloading the host\u00a0malware dropper: <span class=\"excerpt-dots\">&hellip;<\/span> <a class=\"more-link\" href=\"https:\/\/blog.cyberconservices.com\/index.php\/2019\/08\/21\/troldesh-ransomware-dropper\/\"><span class=\"more-msg\">Continue reading &rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[636],"tags":[637],"class_list":["post-31827","post","type-post","status-publish","format-standard","hentry","category-ransomware","tag-ransomware"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/posts\/31827","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/comments?post=31827"}],"version-history":[{"count":0,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/posts\/31827\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/media?parent=31827"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/categories?post=31827"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/tags?post=31827"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}