New ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

X-Labs identified basic ransomware targeting Turkish businesses, delivered via PDF attachments in suspicious emails from the internet[.]ru domain. 

PDF links trigger exe payload downloads, which encrypt files with the “.shadowroot” extension, which is actively compromising various global organizations, including healthcare and e-commerce sectors. 

A PDF attachment containing a malicious URL linking to a compromised GitHub account has been identified as the initial access vector, which downloads an executable payload named “PDF.FaturaDetay_202407.exe,” suggesting potential malware delivery and subsequent system compromise. 

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

The analyzed 32-bit Borland Delphi 4.0 executable deploys secondary payloads, RootDesign.exe, Uninstall.exe, and Uninstall.ini, to the “C:\TheDream” directory. 

RootDesign.exe uses randomized class names, special characters, and obfuscated function names protected by DotNet Confuser Core 1.6 obfuscation to avoid detection. 

The primary executable utilizes PowerShell to stealthily execute RootDesign.exe, which indicates possible malicious activity. 

The command executes a hidden PowerShell script from “C:\TheDream\RootDesign.exe”, spawning multiple child processes and creating mutexes “Local\ZonesCacheCounterMutex”, “Local\ZonesLockedCacheCounterMutex”, and “_SHuassist.mtx”. 

These processes use memory to replicate themselves recursively, consuming an increasing amount of system resources. 

Simultaneously, they encrypt various non-PE and office files, replacing their extensions with “.ShadowRoot” and logging their actions in “C:\TheDream\log.txt” with the marker “ApproveExit.dot.”. 

According to ForcePoint, the ransomware employs the.NET AES cryptographic library for file encryption, repeatedly encrypting files via recursive self-propagation using RootDesign.exe, leading to excessive resource consumption and multiple encrypted file copies. 

It displays ransom notes in Turkish, demands cryptocurrency payment through an email-based contact mechanism, and exfiltrates system information to a command-and-control server via SMTP on smtp[.]mail[.]ru, port 587, using a compromised email account. 

A novice attacker targets Turkish businesses with a rudimentary ransomware campaign, where the malicious PDF invoices with links prompt the download of a Delphi payload and the execution of a dotnet confuser-obfuscated binary. 

The ransomware encrypts files with the “.ShadowRoot” extension and communicates with a Russian SMTP server, suggesting limited capabilities and potential inexperience. 

Threat actors are distributing malware via email using the email addresses Kurumsal[.]tasilat[@]internet[.]ru, ran_master_som[@]proton[.]me, and lasmuruk[@]mailfence[.]com. 

The malware payload, with hashes CD8FBF0DCDD429C06C80B124CAF574334504E99A and 1C9629AEB0E6DBE48F9965D87C64A7B8750BBF93, is hosted on hxxps://raw[.]githubusercontent[.]com/kurumsaltahsilat/detayfatura/main/PDF.FaturaDetay_202407.exe.

“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo