Tuesday, January 14, 2025
HomeCyber AttackShadowRoot Ransomware Attacking Organizations With Weaponized PDF Documents

ShadowRoot Ransomware Attacking Organizations With Weaponized PDF Documents

Published on

A rudimentary ransomware targets Turkish businesses through phishing emails with “.ru” domain sender addresses. Clicking a PDF attachment’s link triggers downloading a malicious executable from a compromised GitHub account. 

The executable encrypts crucial files with the “.shadowroot” extension, highlighting a wider trend of ransomware attacks using phishing emails to deploy payloads, demonstrating the ongoing threat to various industries globally. 

malicious URL from pdf

The analyzed executable is a malicious 32-bit Borland Delphi 4.0 binary that drops several files, including RootDesign.exe and Uninstall.exe, which are likely components of a malware program designed to infiltrate a system and carry out malicious activities.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

DotNet Confuser, which is an open-source obfuscator for.NET applications, provides additional protection for RootDesign.exe in particular that is being protected.

Packer info

Based on the obfuscation that is applied by DotNet Confuser, it becomes more difficult for conventional security software to recognize RootDesign.exe as a potential threat.

The dropper, PDF.FaturaDetay_202407.exe, employs nested PowerShell commands to execute RootDesign.exe in a hidden mode. PowerShell is a scripting language built into the Windows operating system that can be used to automate tasks and execute programs.

Obfuscated function and class name

By nesting PowerShell commands, the malware authors can achieve a level of indirection that makes it more difficult to trace the execution flow and identify the ultimate payload (RootDesign.exe) being launched. 

According to ForcePoint, running RootDesign.exe in hidden mode further conceals its activity from the user, making it even more challenging to detect and remove the malware.

An attacker executed a malicious script disguised as a command prompt command, which leverages PowerShell to launch a hidden process (RootDesign.exe), likely located in a directory named “The Dream.”. 

This process creates several mutexes, which are synchronization objects used to control access to shared resources, whose names (_SHuassist.mtx, Local\ZonesCacheCounterMutex, Local\ZonesLockedCacheCounterMutex) suggest the malware might target specific system functions. 

The malware then injects copies of itself into memory with new process IDs (PIDs), creating a recursive thread structure, which is an indication of a ransomware attack that aims to encrypt files on the compromised system. 

Encrypted files with the ShadowRoot extension

RootDesign.exe, a.NET-compiled malware, logs its activity, initiates a ransomware attack, and recursively encrypts critical system files with a custom “.ShadowRoot” extension, dropping ransom notes and causing high memory usage due to its self-replication behavior. 

The malware creates a command-and-control channel via SMTP on port 587 to an email address that is probably under the attackers’ control and uses the common AESCryptoServiceProvider class for encryption. 

While no direct crypto wallet information is provided, the ransom note instructs victims to contact a suspicious email likely used for communication and potential decryption tool/payment processing.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Latest articles

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...