X-Labs recently discovered a concerning trend in which basic ransomware is targeting Turkish businesses through the delivery of malicious PDF attachments in suspicious emails originating from the internet[.]ru domain. This ransomware campaign has been identified as using PDF links to trigger the download of an executable payload, labeled as “PDF.FaturaDetay_202407.exe,” which is then utilized to encrypt files with the “.shadowroot” extension. This malicious activity has impacted various global organizations, including those in the healthcare and e-commerce sectors.

The initial access vector for this ransomware campaign involves a PDF attachment containing a URL that links to a compromised GitHub account. This URL downloads the executable payload, which signals potential malware delivery and subsequent system compromise. The analysis of the 32-bit Borland Delphi 4.0 executable revealed the deployment of secondary payloads, including RootDesign.exe, Uninstall.exe, and Uninstall.ini, to the “C:\TheDream” directory.

RootDesign.exe utilizes randomized class names, special characters, and obfuscated function names protected by DotNet Confuser Core 1.6 obfuscation to evade detection. The primary executable leverages PowerShell to covertly execute RootDesign.exe, indicating potentially malicious activity. The execution of a hidden PowerShell script from “C:\TheDream\RootDesign.exe” spawns multiple child processes and creates mutexes such as “Local\ZonesCacheCounterMutex,” “Local\ZonesLockedCacheCounterMutex,” and “_SHuassist.mtx.”

These processes operate by replicating themselves recursively in memory, consuming a growing amount of system resources. As they replicate, they encrypt various non-PE and office files and replace their extensions with “.ShadowRoot,” while logging their actions in “C:\TheDream\log.txt” using the marker “ApproveExit.dot.” According to ForcePoint, the ransomware uses the.NET AES cryptographic library for file encryption, repeatedly encrypting files through recursive self-propagation with RootDesign.exe, resulting in excessive resource consumption and multiple encrypted file copies.

The ransomware displays ransom notes in Turkish, demands cryptocurrency payments through an email-based contact mechanism, and exfiltrates system information to a command-and-control server via SMTP on smtp[.]mail[.]ru, port 587, utilizing a compromised email account. Despite the elaborate encryption techniques, the ransomware operator appears to be a novice attacker targeting Turkish businesses with a relatively straightforward campaign.

The use of malicious PDF invoices with embedded links, the download of a Delphi payload, and the execution of a dotnet confuser-obfuscated binary all indicate limited capabilities and potential inexperience on the part of the threat actor. Malware distribution via email is being carried out using email addresses such as Kurumsal[.]tasilat[@]internet[.]ru, ran_master_som[@]proton[.]me, and lasmuruk[@]mailfence[.]com. The malware payload, with hashes CD8FBF0DCDD429C06C80B124CAF574334504E99A and 1C9629AEB0E6DBE48F9965D87C64A7B8750BBF93, is hosted on hxxps://raw[.]githubusercontent[.]com/kurumsaltahsilat/detayfatura/main/PDF.FaturaDetay_202407.exe.

In conclusion, this ransomware campaign poses a significant threat to Turkish businesses, especially those in sectors such as healthcare and e-commerce. The use of sophisticated encryption techniques and communication with a Russian SMTP server highlights the evolving tactics of cybercriminals. It is imperative for organizations to enhance their cybersecurity measures and remain vigilant against such malicious activities to protect their sensitive data and systems from exploitation.

Source link