WordPress and Joomla are among the most popular Content Management Systems (CMSs). They have also become popular for malicious actors, as cybercriminals target sites on these platforms for hacking and injecting malicious content. During the past few weeks, ThreatLabZ researchers have detected several WordPress and Joomla sites that were serving Shade/Troldesh ransomware, backdoors, redirectors, and a variety of phishing pages. The most well-known threats to CMS sites are the result of vulnerabilities introduced by plugins, themes, and extensions.

In this blog, we are focusing on the Shade/Troldesh ransomware and phishing pages that we detected last month from several hundred compromised CMS sites. Shade ransomware has been quite active in the wild and we have been seeing a number of compromised WordPress and Joomla sites being used to spread the ransomware.

The compromised WordPress sites we have seen are using versions 4.8.9 to 5.1.1 and they use SSL certificates issued by Automatic Certificate Management Environment (ACME)-driven certificate authorities, such as Let’s Encrypt, GlobalSign, cPanel, and DigiCert, among others. These compromised WordPress sites may have outdated CMS plugins/themes or server-side software which potentially could also be the reason for the compromise.





Fig 1: Hits of Shade and phishing in detected CMS sites

During the past month, our cloud blocked transactions for compromised WordPress and Joomla due to Shade ransomware payloads (13.6 percent) and phishing pages (27.6 percent), with the remaining blocks due to coinminers, adware, and malicious redirectors.

We have been monitoring the compromised HTTPS sites for a few weeks and have noticed that attackers are favoring a well-known hidden directory present on the HTTPS website for storing and distributing Shade ransomware and phishing pages.

The hidden /.well-known/ directory in a website is a URI prefix for well-known locations defined by IETF and commonly used to demonstrate ownership of a domain. The administrators of HTTPS websites that use ACME to manage SSL certificates place a unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ directories to show the certificate authority (CA) that they control the domain. The CA will send them specific code for an HTML page that must be located in this particular directory. The CA will then scan for this code to validate the domain.



The attackers use these locations to hide malware and phishing pages from the administrators. The tactic is effective because this directory is already present on most HTTPS sites and is hidden, which increases the life of the malicious/phishing content on the compromised site.

The different types of threats that we found under the hidden directory in the past month are shown in the below image.

Fig 2: Threats in hidden directory

Fig 3: Shade ransomware vs. phishing pages in the hidden directory

Case I: Shade/Troldesh ransomware under the hidden directory



The graph below shows the Shade/Troldesh ransomware under the hidden directory that we detected last month.





Fig 4: Shade/Troldesh ransomware hits over one month

In the case of Shade/Troldesh ransomware, every compromised site has three types of files: HTML, ZIP, and EXE (.jpg), as shown below.

Fig 5: Shade in hidden SSL validation directory

inst.htm and thn.htm are HTML files that redirect to download ZIP files.

reso.zip, rolf.zip, and stroi-invest.zip are ZIP files that contain the JavaScript file.

msg.jpg and msges.jpg are EXE files that are the Shade ransomware.

Fig 6: Shade Infection chain

Troldesh is typically spread by malspam with a ZIP attachment or a link to an HTML redirector page, which downloads the ZIP file. The malspam pretends to be an order update coming from a Russian organization. An example of an email that has the link of the HTML redirector is shown below.





Fig: 7 Malspam mail



Fig 8: Redirector to download ZIP

The ZIP file contains only the JavaScript file with a Russian name. The JavaScript is highly obfuscated and encrypted strings are decrypted at runtime by the below function.





Fig 9: Decryption function

After decryption, the JavaScript has the functionalities shown below. It tries to connect one of the two URLs, downloads the payload in %TEMP%, and executes it.





Fig 10: Simplified JavaScript code

The downloaded payload is the new variant of Shade/Troldesh ransomware, which has been around since 2014. It has two layers of packers: custom and UPX. After unpacking, it saves its configurations in “HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration”.





Fig 11: Shade configuration

xcnt = Count of encrypted files

xi = ID of infected machine

xpk = RSA public key for encryption

xVersion = Version of current Shade ransomware

The command-and-control (C&C) server is a4ad4ip2xzclh6fd[.]onion. It drops a TOR client in %TEMP% to connect to its C&C server. For each file, the file content and file name are encrypted with AES-256 in CBC mode with two different keys. After encryption, it changes the filename to BASE64(AES(file_name)).ID_of_infected_machine.crypted000007.

Fig 12: Encrypted files

It drops a copy of itself in %ProgramData%\Windows\csrss.exe and makes a run entry for this copy with the name “BurnAware.” It drops README1.txt to README10.txt on the desktop and changes the wallpaper as shown below.





Fig 13: Shade wallpaper

README.txt has ransom note in both Russian and English languages.

Fig 14: Shade ransom note

Fig 15: Zscaler sandbox report for Shade/Troldesh ransomware

Case II: Phishing pages under the hidden directory



The graph below shows the different types of phishing pages under the hidden directory that we detected last month.





Fig 16: Phishing hits over one month

The phishing pages we have seen up to this point, which are hosted under SSL-validated hidden directories, are related to Office 365, Microsoft, DHL, Dropbox, Bank of America, Yahoo, Gmail, and others.





Fig 17: OneDrive phishing page

Fig 18: Yahoo phishing page

Fig 19: DHL phishing page

IOCs:

aioshipping[.]com/.well-known/acme-challenge/msg.jpg

yourcurrencyrates[.]com/.well-known/pki-validation/mxr.pdf

rangtrangxinh[.]vn/.well-known/acme-challenge/msg.jpg

judge[.]education/.well-known/pki-validation/ssj.jpg

hoadaklak[.]com/.well-known/acme-challenge/ssj.jpg

nguyenlinh[.]vn/.well-known/acme-challenge/msg.jpg

rdsis[.]in/.well-known/pki-validation/msg.jpg

khanlanhdaklak[.]com/.well-known/acme-challenge/ssj.jpg

presse[.]schmutzki.de:80/.well-known/acme-challenge/messg.jpg

aioshipping[.]com:80/.well-known/acme-challenge/msg.jpg

yourcurrencyrates[.]com:80/.well-known/pki-validation/mxr.pdf

vinhomeshalongxanh[.]xyz:80/.well-known/pki-validation/ssj.jpg

titusrealestate[.]com.fj:80/.well-known/pki-validation/msg.jpg

dichvucong[.]vn:80/.well-known/acme-challenge/msg.jpg

myphamnarguerite[.]com:80/.well-known/acme-challenge/mxr.pdf

minifyurl[.]net:80/.well-known/pki-validation/mxr.pdf

judge[.]education:80/.well-known/pki-validation/ssj.jpg

minifyurl[.]net/.well-known/pki-validation/mxr.pdf

neccotweethearts[.]com:80/.well-known/pki-validation/mxr.pdf

backuptest[.]tomward.org.uk:80/.well-known/pki-validation/ssj.jpg

mobshop[.]schmutzki.de:80/.well-known/acme-challenge/messg.jpg

neccotweethearts[.]com/.well-known/pki-validation/mxr.pdf

myphamnarguerite[.]com/.well-known/acme-challenge/mxr.pdf

khanlanhdaklak[.]com:80/.well-known/acme-challenge/ssj.jpg

presse[.]schmutzki.de/.well-known/acme-challenge/messg.jpg

mobshop[.]schmutzki.de/.well-known/acme-challenge/messg.jpg

globalkabar[.]com/.well-known/pki-validation/sserv.jpg

ereservices[.]com:80/.well-known/pki-validation/ssj.jpg

dulichvietlao[.]vn:80/.well-known/acme-challenge/ssj.jpg

backuptest[.]tomward.org.uk/.well-known/pki-validation/ssj.jpg

mamycloth[.]store:80/.well-known/acme-challenge/msg.jpg

business[.]driverclub.co:80/.well-known/pki-validation/msg.jpg

vinhomeshalongxanh[.]xyz/.well-known/pki-validation/ssj.jpg

dichvucong[.]vn/.well-known/acme-challenge/msg.jpg

thuducland[.]net/.well-known/acme-challenge/sserv.jpg

sahabathasyim[.]com/.well-known/acme-challenge/sserv.jpg

rangtrangxinh[.]vn:80/.well-known/acme-challenge/msg.jpg

lovecookingshop[.]com:80/.well-known/pki-validation/ssj.jpg

ereservices[.]com/.well-known/pki-validation/ssj.jpg

hoadaklak[.]com:80/.well-known/acme-challenge/ssj.jpg

ceroshop[.]net/.well-known/acme-challenge/nba1.jpg

thuducland[.]net:80/.well-known/acme-challenge/sserv.jpg

lovecookingshop[.]com/.well-known/pki-validation/ssj.jpg

entrenadorpersonalterrassa[.]com.es:80/.well-known/acme-challenge/mxr.pdf

epifaniacr[.]net:80/.well-known/pki-validation/ssj.jpg

titusrealestate[.]com.fj/.well-known/pki-validation/msg.jpg

globalkabar[.]com:80/.well-known/pki-validation/sserv.jpg

sahabathasyim[.]com:80/.well-known/acme-challenge/sserv.jpg

dulichvietlao[.]vn/.well-known/acme-challenge/ssj.jpg

argfoodfest[.]e-zero.com.ar:80/.well-known/pki-validation/ssj.jpg

aa[-]publisher.com:80/.well-known/mxr.pdf

duandojiland[-]sapphire.com:80/.well-known/pki-validation/ssj.jpg

master[-]of-bitcoin.net/.well-known/pki-validation/messg.jpg

ea[-]no7.net/.well-known/pki-validation/messg.jpg

tropictowersfiji[.]com/.well-known/pki-validation/msg.jpg

test[.]digimarkting.com/.well-known/pki-validation/msges.jpg

tebarameatsfiji[.]com/.well-known/pki-validation/msg.jpg

sbs[.]ipeary.com/.well-known/pki-validation/msges.jpg

sbs[.]ipeary.com/.well-known/pki-validation/msg.jpg

samyaksolution[.]co.in/.well-known/pki-validation/msges.jpg

samyaksolution[.]co.in/.well-known/pki-validation/msg.jpg

rosyheartsfiji[.]com/.well-known/pki-validation/pik.zip

needcareers[.]com/.well-known/pki-validation/msges.jpg

natristhub[.]club/.well-known/pki-validation/msges.jpg

natristhub[.]club/.well-known/pki-validation/msg.jpg

mytripland[.]com:80/.well-known/pki-validation/sserv.jpg

learning[.]ipeary.com/.well-known/pki-validation/msg.jpg

ipeari[.]com/.well-known/pki-validation/msg.jpg

diennangmattroi[.]com/.well-known/pki-validation/msges.jpg

diennangmattroi[.]com/.well-known/pki-validation/msg.jpg

alonhadat24h[.]vn/.well-known/acme-challenge/update_2018_02.browser-components.zip

24bizhub[.]com/.well-known/pki-validation/msges.jpg

24bizhub[.]com/.well-known/pki-validation/msg.jpg

thinkmonochrome[.]co.uk/.well-known/acme-challenge/messg.jpg

test[.]digimarkting.com/.well-known/pki-validation/msg.jpg

needcareers[.]com/.well-known/pki-validation/msg.jpg

hanggiadungduc[.]vn/.well-known/acme-challenge/reso.zip

designitpro[.]net/.well-known/acme-challenge/msg.jpg

zanatika[.]com:80/.well-known/acme-challenge/ssj.jpg

vina[.]fun:80/.well-known/acme-challenge/ssj.jpg

nexusdental[.]com.mx/.well-known/acme-challenge/ssj.jpg

neccotweethearts[.]com:80/.well-known/pki-validation/ssj.jpg

jayc[-]productions.com:80/.well-known/acme-challenge/ssj.jpg

indochine[-]mekong.com:80/.well-known/acme-challenge/ssj.jpg

hexamersolution[.]com/.well-known/acme-challenge/msg.jpg

hexacode[.]lk:80/.well-known/acme-challenge/ssj.jpg

dongha[.]city:80/.well-known/acme-challenge/ssj.jpg

domika[.]vn/.well-known/acme-challenge/msg.jpg

coupanadda[.]in:80/.well-known/pki-validation/ssj.jpg

choviahe[.]cf:80/.well-known/acme-challenge/ssj.jpg

brace[-]dd.com/.well-known/pki-validation/msg.jpg

angkaprediksi[.]fun/.well-known/acme-challenge/msg.jpg

advancitinc[.]com/.well-known/pki-validation/msg.jpg

vodai[.]bid/.well-known/pki-validation/ssj.jpg

thucphammena[.]com/.well-known/acme-challenge/ssj.jpg

thefoodgram[.]com/.well-known/acme-challenge/tehnikol.zip

thefoodgram[.]com/.well-known/acme-challenge/stroi-industr.zip

shopkimhuyen[.]com/.well-known/acme-challenge/msg.jpg

shine[.]bmt.city/.well-known/acme-challenge/ssj.jpg

sbs[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip

needcareers[.]com/.well-known/pki-validation/tehnikol.zip

needcareers[.]com/.well-known/pki-validation/stroi-industr.zip

maithanhduong[.]com/.well-known/pki-validation/pik.zip

luongynhiem[.]com/.well-known/pki-validation/gkpik.zip

lichxuansaigon[.]com:80/.well-known/acme-challenge/ssj.jpg

kinder[-]express.de/.well-known/acme-challenge/reso.zip

khannen[.]com.vn/.well-known/acme-challenge/ssj.jpg

jayc[-]productions.com/.well-known/acme-challenge/ssj.jpg

jambanswers[.]org/.well-known/pki-validation/ssj.jpg

intercontinentalglobalservice[.]com:80/.well-known/pki-validation/ssj.jpg

gurusexpo[.]com.ng/.well-known/pki-validation/ssj.jpg

gotrungtuan[.]online/.well-known/acme-challenge/ssj.jpg

goindelivery[.]com/.well-known/pki-validation/major.zip

fernandoherrera[.]me:80/.well-known/acme-challenge/ssj.jpg

diennangmattroi[.]com/.well-known/pki-validation/stroi-industr.zip

canhooceangate[.]com/.well-known/acme-challenge/sserv.jpg

bramptonpharmacy[.]ca/.well-known/acme-challenge/msg.jpg

bolt[-]fast.com/.well-known/pki-validation/gkpik.zip

bmt[.]today/.well-known/acme-challenge/ssj.jpg

blog[.]ponta-fukui.com/.well-known/pki-validation/pik.zip

bhartivaish[.]com:80/.well-known/acme-challenge/ssj.jpg

attireup[.]com/.well-known/acme-challenge/tehnikol.zip

attireup[.]com/.well-known/acme-challenge/stroi-industr.zip

acreationevents[.]com/.well-known/acme-challenge/msg.jpg

yeu82[.]com/.well-known/acme-challenge/ssj.jpg

yeu81[.]com/.well-known/acme-challenge/ssj.jpg

yeu49[.]com/.well-known/acme-challenge/ssj.jpg

yeu48[.]com/.well-known/acme-challenge/ssj.jpg

vuacacao[.]com/.well-known/acme-challenge/ssj.jpg

vision[-]ex.de/.well-known/acme-challenge/reso.zip

vinaykhatri[.]in/.well-known/acme-challenge/ssj.jpg

vinaykhatri[.]in/.well-known/acme-challenge/mxr.pdf

variantmag[.]com/.well-known/acme-challenge/sserv.jpg

valentinesblues[.]com/.well-known/pki-validation/sserv.jpg

uyencometics[.]bmt.city/.well-known/acme-challenge/ssj.jpg

tysonfury[.]rocks/.well-known/acme-challenge/msg.jpg

tulipremodeling[.]com/.well-known/acme-challenge/sserv.jpg

tropictowersfiji[.]com/.well-known/pki-validation/pik.zip

thesaturnring[.]com/.well-known/acme-challenge/mxr.pdf

theotokis[.]gr/.well-known/pki-validation/mxr.pdf

thefashionelan[.]com/.well-known/pki-validation/msg.jpg

tanione[.]com:80/.well-known/acme-challenge/ssj.jpg

tanione[.]com/.well-known/acme-challenge/ssj.jpg

steeveriano[.]com/.well-known/pki-validation/msg.jpg

singleparentaustralia[.]com.au/.well-known/pki-validation/reso.zip

shafercharacter[.]org/.well-known/acme-challenge/messg.jpg

service[.]baynuri.net/.well-known/acme-challenge/messg.jpg

samyaksolution[.]co.in/.well-known/pki-validation/rolf.zip

realman[.]work/.well-known/acme-challenge/reso.zip

rarejewelry[.]net/.well-known/acme-challenge/mxr.pdf

rarejewelry[.]net/.well-known/acme-challenge/messg.jpg

qsongchihotel[.]com/.well-known/acme-challenge/ssj.jpg

panama[.]driverclub.co/.well-known/pki-validation/pic.zip

ngheve[.]com/.well-known/acme-challenge/ssj.jpg

nfc[.]com.vn/.well-known/acme-challenge/msg.jpg

next[-]vision.ro/.well-known/pki-validation/ssj.jpg

newsnaija[.]ng/.well-known/pki-validation/ssj.jpg

newsnaija[.]ng/.well-known/pki-validation/mxr.pdf

neelshivamlaw[.]com/.well-known/pki-validation/pic.inform.zip

neccotweethearts[.]com/.well-known/pki-validation/ssj.jpg

navegacaolacet[.]com.br/.well-known/acme-challenge/msg.jpg

mytripland[.]com/.well-known/pki-validation/ssj.jpg

myschoolmarket[.]com.ng/.well-known/acme-challenge/ssj.jpg

mskhangroup[.]com/.well-known/pki-validation/pic.zip

mskhangroup[.]com/.well-known/pki-validation/msg.jpg

morganbits[.]com/.well-known/acme-challenge/mxr.pdf

mo7o[.]fun:80/.well-known/acme-challenge/mxr.pdf

mitsubishidn[.]com.vn/.well-known/acme-challenge/sserv.jpg

meliscar[.]com:80/.well-known/pki-validation/ssj.jpg

meliscar[.]com/.well-known/pki-validation/ssj.jpg

manhattan[.]dangcaphoanggia.com/.well-known/acme-challenge/mxr.pdf

maithanhduong[.]com/.well-known/pki-validation/msg.jpg

lichxuansaigon[.]com/.well-known/acme-challenge/ssj.jpg

lemon[-]remodeling.com/.well-known/acme-challenge/sserv.jpg

lastra[.]top/.well-known/pki-validation/msg.jpg

laflamme[-]heli.com/.well-known/acme-challenge/ssj.jpg

laflamme[-]heli.com/.well-known/acme-challenge/sserv.jpg

kousen[.]fire-navi.jp/.well-known/pki-validation/msg.jpg

jambanswers[.]org/.well-known/pki-validation/vseros.bank.zakaz.docx.zip

integramultimedia[.]com.mx/.well-known/acme-challenge/ssj.jpg

incgoin[.]com/.well-known/pki-validation/reso.zip

hexacode[.]lk/.well-known/acme-challenge/ssj.jpg

happysungroup[.]de/.well-known/pki-validation/ssj.jpg

goindelivery[.]com/.well-known/pki-validation/reso.zip

goindelivery[.]com/.well-known/pki-validation/msg.jpg

goindelivery[.]com/.well-known/pki-validation/kia.zip

gnb[.]uz/.well-known/pki-validation/ssj.jpg

geecee[.]co.za/.well-known/pki-validation/msg.jpg

geecee[.]co.za/.well-known/pki-validation/kia.zip

gdn[.]segera.live/.well-known/pki-validation/sserv.jpg

fijidirectoryonline[.]com/.well-known/pki-validation/msg.jpg

fastimmo[.]fr/.well-known/acme-challenge/sserv.jpg

ereservices[.]com/.well-known/pki-validation/sserv.jpg

ede[.]coffee/.well-known/acme-challenge/ssj.jpg

dongydaisinhduong[.]com/.well-known/acme-challenge/messg.jpg

diota[-]ar.com:80/.well-known/acme-challenge/mxr.pdf

diota[-]ar.com/.well-known/acme-challenge/mxr.pdf

diamondking[.]co/.well-known/pki-validation/sserv.jpg

dev01[.]europeanexperts.com/.well-known/pki-validation/messg.jpg

designitpro[.]net/.well-known/acme-challenge/reso.zip

damuoigiasi[.]com/.well-known/acme-challenge/ssj.jpg

dailynow[.]vn/.well-known/acme-challenge/msg.jpg

choviahe[.]cf/.well-known/acme-challenge/ssj.jpg

cellulosic[.]logicalatdemo.co.in/.well-known/pki-validation/ssj.jpg

business[.]driverclub.co/.well-known/pki-validation/msg.jpg

bhartivaish[.]com/.well-known/acme-challenge/sserv.jpg

bcspremier[.]ru/promo/well-known/images/background_sm.jpg

bcspremier[.]ru/promo/well-known/images/background_lg.jpg

atiqah[.]my/.well-known/pki-validation/sserv.jpg

aanarehabcenter[.]com:80/.well-known/pki-validation/ssj.jpg

aanarehabcenter[.]com/.well-known/pki-validation/ssj.jpg

24bizhub[.]com/.well-known/pki-validation/tehnikol.zip

24bizhub[.]com/.well-known/pki-validation/stroi-industr.zip

ipeari[.]com/.well-known/pki-validation/msg.jpg

ipeari[.]com/.well-known/pki-validation/reso.zip

ipeari[.]com/.well-known/pki-validation/stroi-industr.zip

ipeari[.]com/.well-known/pki-validation/stroi-invest.zip

ipeari[.]com/.well-known/pki-validation/tehnikol.zip

learning[.]ipeary.com/.well-known/pki-validation/msg.jpg

learning[.]ipeary.com/.well-known/pki-validation/reso.zip

learning[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip

learning[.]ipeary.com/.well-known/pki-validation/stroi-invest.zip

learning[.]ipeary.com/.well-known/pki-validation/tehnikol.zip

test[.]digimarkting.com/.well-known/pki-validation/msg.jpg

test[.]digimarkting.com/.well-known/pki-validation/reso.zip

test[.]digimarkting.com/.well-known/pki-validation/stroi-industr.zip

test[.]digimarkting.com/.well-known/pki-validation/stroi-invest.zip

test[.]digimarkting.com/.well-known/pki-validation/tehnikol.zip

SBS[.]ipeary.com/.well-known/pki-validation/msg.jpg

SBS[.]ipeary.com/.well-known/pki-validation/reso.zip

SBS[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip

SBS[.]ipeary.com/.well-known/pki-validation/stroi-invest.zip

SBS[.]ipeary.com/.well-known/pki-validation/tehnikol.zip

singleparentaustralia[.]com.au/.well-known/pki-validation/msg.jpg

singleparentaustralia[.]com.au/.well-known/pki-validation/reso.zip

natristhub[.]club/.well-known/pki-validation/msg.jpg

natristhub[.]club/.well-known/pki-validation/reso.zip

natristhub[.]club/.well-known/pki-validation/stroi-industr.zip

natristhub[.]club/.well-known/pki-validation/stroi-invest.zip

natristhub[.]club/.well-known/pki-validation/tehnikol.zip

natristhub[.]club/.well-known/pki-validation/tehnikol1.zip