ShadowRoot Ransomware Attacking Organizations With Weaponized PDF Documents

A rudimentary ransomware targets Turkish businesses through phishing emails with “.ru” domain sender addresses. Clicking a PDF attachment’s link triggers downloading a malicious executable from a compromised GitHub account. 

The executable encrypts crucial files with the “.shadowroot” extension, highlighting a wider trend of ransomware attacks using phishing emails to deploy payloads, demonstrating the ongoing threat to various industries globally. 

The analyzed executable is a malicious 32-bit Borland Delphi 4.0 binary that drops several files, including RootDesign.exe and Uninstall.exe, which are likely components of a malware program designed to infiltrate a system and carry out malicious activities.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

DotNet Confuser, which is an open-source obfuscator for.NET applications, provides additional protection for RootDesign.exe in particular that is being protected.

Based on the obfuscation that is applied by DotNet Confuser, it becomes more difficult for conventional security software to recognize RootDesign.exe as a potential threat.

The dropper, PDF.FaturaDetay_202407.exe, employs nested PowerShell commands to execute RootDesign.exe in a hidden mode. PowerShell is a scripting language built into the Windows operating system that can be used to automate tasks and execute programs.

By nesting PowerShell commands, the malware authors can achieve a level of indirection that makes it more difficult to trace the execution flow and identify the ultimate payload (RootDesign.exe) being launched. 

According to ForcePoint, running RootDesign.exe in hidden mode further conceals its activity from the user, making it even more challenging to detect and remove the malware.

An attacker executed a malicious script disguised as a command prompt command, which leverages PowerShell to launch a hidden process (RootDesign.exe), likely located in a directory named “The Dream.”. 

This process creates several mutexes, which are synchronization objects used to control access to shared resources, whose names (_SHuassist.mtx, Local\ZonesCacheCounterMutex, Local\ZonesLockedCacheCounterMutex) suggest the malware might target specific system functions. 

The malware then injects copies of itself into memory with new process IDs (PIDs), creating a recursive thread structure, which is an indication of a ransomware attack that aims to encrypt files on the compromised system. 

RootDesign.exe, a.NET-compiled malware, logs its activity, initiates a ransomware attack, and recursively encrypts critical system files with a custom “.ShadowRoot” extension, dropping ransom notes and causing high memory usage due to its self-replication behavior. 

The malware creates a command-and-control channel via SMTP on port 587 to an email address that is probably under the attackers’ control and uses the common AESCryptoServiceProvider class for encryption. 

While no direct crypto wallet information is provided, the ransom note instructs victims to contact a suspicious email likely used for communication and potential decryption tool/payment processing.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo