New ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

X-Labs identified basic ransomware targeting Turkish businesses, delivered via PDF attachments in suspicious emails from the internet[.]ru domain. 

PDF links trigger exe payload downloads, which encrypt files with the “.shadowroot” extension, which is actively compromising various global organizations, including healthcare and e-commerce sectors. 

PDF attachment

A PDF attachment containing a malicious URL linking to a compromised GitHub account has been identified as the initial access vector, which downloads an executable payload named “PDF.FaturaDetay_202407.exe,” suggesting potential malware delivery and subsequent system compromise. 

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

malicious URL from pdf

The analyzed 32-bit Borland Delphi 4.0 executable deploys secondary payloads, RootDesign.exe, Uninstall.exe, and Uninstall.ini, to the “C:\TheDream” directory. 

RootDesign.exe uses randomized class names, special characters, and obfuscated function names protected by DotNet Confuser Core 1.6 obfuscation to avoid detection. 

The primary executable utilizes PowerShell to stealthily execute RootDesign.exe, which indicates possible malicious activity. 

Obfuscated function and class name

The command executes a hidden PowerShell script from “C:\TheDream\RootDesign.exe”, spawning multiple child processes and creating mutexes “Local\ZonesCacheCounterMutex”, “Local\ZonesLockedCacheCounterMutex”, and “_SHuassist.mtx”. 

These processes use memory to replicate themselves recursively, consuming an increasing amount of system resources. 

Simultaneously, they encrypt various non-PE and office files, replacing their extensions with “.ShadowRoot” and logging their actions in “C:\TheDream\log.txt” with the marker “ApproveExit.dot.”. 

Encrypted files with the ShadowRoot extension

According to ForcePoint, the ransomware employs the.NET AES cryptographic library for file encryption, repeatedly encrypting files via recursive self-propagation using RootDesign.exe, leading to excessive resource consumption and multiple encrypted file copies. 

It displays ransom notes in Turkish, demands cryptocurrency payment through an email-based contact mechanism, and exfiltrates system information to a command-and-control server via SMTP on smtp[.]mail[.]ru, port 587, using a compromised email account. 

C2 connection

A novice attacker targets Turkish businesses with a rudimentary ransomware campaign, where the malicious PDF invoices with links prompt the download of a Delphi payload and the execution of a dotnet confuser-obfuscated binary. 

The ransomware encrypts files with the “.ShadowRoot” extension and communicates with a Russian SMTP server, suggesting limited capabilities and potential inexperience. 

Threat actors are distributing malware via email using the email addresses Kurumsal[.]tasilat[@]internet[.]ru, ran_master_som[@]proton[.]me, and lasmuruk[@]mailfence[.]com. 

The malware payload, with hashes CD8FBF0DCDD429C06C80B124CAF574334504E99A and 1C9629AEB0E6DBE48F9965D87C64A7B8750BBF93, is hosted on hxxps://raw[.]githubusercontent[.]com/kurumsaltahsilat/detayfatura/main/PDF.FaturaDetay_202407.exe.

“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo

Aman Mishra

Recent Posts

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…

2 days ago

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…

2 days ago

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…

2 days ago

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…

2 days ago

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…

2 days ago

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…

2 days ago