.webp "ShadowRoot Ransomware Targets Organizations Using Weaponized PDFs")
A recent wave of ransomware attacks has struck Turkish businesses, targeting them through phishing emails with sender addresses sporting a “.ru” domain. These emails contain a PDF attachment that, when clicked, leads to the download of a malicious executable from a compromised GitHub account.
The malicious executable, once executed, encrypts crucial files with the “.shadowroot” extension, illustrating a broader trend where ransomware attacks are being carried out via phishing emails to deliver harmful payloads. This highlights the persistent threat that various industries face on a global scale.
Upon analysis, it was discovered that the executable in question is a 32-bit Borland Delphi 4.0 binary that drops multiple files, including RootDesign.exe and Uninstall.exe. These files are believed to be components of a malware program designed to infiltrate systems and conduct malicious activities.
To add an extra layer of protection, DotNet Confuser, an open-source obfuscator for.NET applications, has been utilized to safeguard RootDesign.exe. By applying obfuscation techniques, it becomes more challenging for traditional security software to identify RootDesign.exe as a potential threat.
The dropper, named PDF.FaturaDetay_202407.exe, utilizes nested PowerShell commands to execute RootDesign.exe stealthily. PowerShell, a scripting language integrated into Windows, allows for the automation of tasks and program execution.
By nesting PowerShell commands, malware authors are able to introduce a level of indirection that complicates the tracing of execution flow and identification of the ultimate payload, RootDesign.exe. This stealthy execution method makes it harder for users to detect and remove the malware.
ForcePoint revealed that running RootDesign.exe in hidden mode further conceals its activities from users, presenting an additional challenge in detecting and eliminating the malware. An attacker was found to have executed a malicious script, disguised as a command prompt command, which used PowerShell to launch a hidden process (RootDesign.exe) from a directory named “The Dream.”
The attacker’s script creates several mutexes, synchronization objects that regulate access to shared resources, suggesting that the malware may be targeting specific system functions. Moreover, the malware injects copies of itself into memory with new process IDs, indicating a ransomware attack aimed at encrypting files on the compromised system.
RootDesign.exe, a.NET-compiled malware, logs its activities, initiates a ransomware attack, and recursively encrypts critical system files with a custom “.ShadowRoot” extension. The malware also establishes a command-and-control channel via SMTP to an email address likely controlled by the attackers.
Although the ransom note does not provide direct crypto wallet information, it instructs victims to contact a suspicious email for further communication regarding potential decryption tools or payment processing. This underscores the urgent need for enhanced cybersecurity measures to protect against such sophisticated attacks.
In conclusion, the recent ransomware targeting Turkish businesses underscores the evolving nature of cyber threats and the critical importance of robust cybersecurity practices. Vigilance, awareness, and proactive defense mechanisms are essential in safeguarding sensitive information and preventing devastating attacks that can cripple businesses and organizations.