Monday, December 9, 2024
HomeCyber CrimeNew ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

New ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

Published on

SIEM as a Service

X-Labs identified basic ransomware targeting Turkish businesses, delivered via PDF attachments in suspicious emails from the internet[.]ru domain. 

PDF links trigger exe payload downloads, which encrypt files with the “.shadowroot” extension, which is actively compromising various global organizations, including healthcare and e-commerce sectors. 

PDF attachment

A PDF attachment containing a malicious URL linking to a compromised GitHub account has been identified as the initial access vector, which downloads an executable payload named “PDF.FaturaDetay_202407.exe,” suggesting potential malware delivery and subsequent system compromise. 

- Advertisement - SIEM as a Service

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

malicious URL from pdf

The analyzed 32-bit Borland Delphi 4.0 executable deploys secondary payloads, RootDesign.exe, Uninstall.exe, and Uninstall.ini, to the “C:\TheDream” directory. 

RootDesign.exe uses randomized class names, special characters, and obfuscated function names protected by DotNet Confuser Core 1.6 obfuscation to avoid detection. 

The primary executable utilizes PowerShell to stealthily execute RootDesign.exe, which indicates possible malicious activity. 

Obfuscated function and class name

The command executes a hidden PowerShell script from “C:\TheDream\RootDesign.exe”, spawning multiple child processes and creating mutexes “Local\ZonesCacheCounterMutex”, “Local\ZonesLockedCacheCounterMutex”, and “_SHuassist.mtx”. 

These processes use memory to replicate themselves recursively, consuming an increasing amount of system resources. 

Simultaneously, they encrypt various non-PE and office files, replacing their extensions with “.ShadowRoot” and logging their actions in “C:\TheDream\log.txt” with the marker “ApproveExit.dot.”. 

Encrypted files with the ShadowRoot extension

According to ForcePoint, the ransomware employs the.NET AES cryptographic library for file encryption, repeatedly encrypting files via recursive self-propagation using RootDesign.exe, leading to excessive resource consumption and multiple encrypted file copies. 

It displays ransom notes in Turkish, demands cryptocurrency payment through an email-based contact mechanism, and exfiltrates system information to a command-and-control server via SMTP on smtp[.]mail[.]ru, port 587, using a compromised email account. 

C2 connection

A novice attacker targets Turkish businesses with a rudimentary ransomware campaign, where the malicious PDF invoices with links prompt the download of a Delphi payload and the execution of a dotnet confuser-obfuscated binary. 

The ransomware encrypts files with the “.ShadowRoot” extension and communicates with a Russian SMTP server, suggesting limited capabilities and potential inexperience. 

Threat actors are distributing malware via email using the email addresses Kurumsal[.]tasilat[@]internet[.]ru, ran_master_som[@]proton[.]me, and lasmuruk[@]mailfence[.]com. 

The malware payload, with hashes CD8FBF0DCDD429C06C80B124CAF574334504E99A and 1C9629AEB0E6DBE48F9965D87C64A7B8750BBF93, is hosted on hxxps://raw[.]githubusercontent[.]com/kurumsaltahsilat/detayfatura/main/PDF.FaturaDetay_202407.exe.

“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...