[Cyware] ShadowRoot Ransomware Targets Turkish Businesses

Summary: Forcepoint X-Labs has discovered a new ransomware strain called “ShadowRoot” that specifically targets Turkish businesses. The attack starts with phishing emails containing malicious PDF attachments disguised as invoices, originating from a Russian domain.

Threat Actor: ShadowRoot ransomware | ShadowRoot ransomware
Victim: Turkish businesses | Turkish businesses

Key Point :

  • The attack begins with phishing emails containing malicious PDF attachments disguised as invoices, originating from a Russian domain.
  • The PDF attachments contain a malicious link that triggers the download of an executable file hosted on a compromised GitHub repository.
  • The downloaded payload is a Delphi binary that drops additional components to obfuscate its activities and evade security measures.
  • The primary ransomware payload, “RootDesign.exe,” encrypts files across the victim’s system and appends the “.shadowroot” extension to each compromised file.
  • Victims are presented with a ransom note after their files are encrypted.

Forcepoint X-Labs, a leading cybersecurity research team, has unveiled a new ransomware strain dubbed “ShadowRoot” specifically targeting Turkish businesses. The attack begins with phishing emails containing malicious PDF attachments disguised as invoices, originating from a Russian domain.

The attack commences with the delivery of seemingly legitimate invoices as PDF attachments via email. Embedded within these PDFs is a malicious link that, upon user interaction, triggers the download of an executable file hosted on a compromised GitHub repository.

The downloaded payload is a Delphi binary engineered to drop additional components designed to obfuscate its activities and evade conventional security measures. These components culminate in the deployment of the primary ransomware payload, “RootDesign.exe,” which systematically encrypts files across the victim’s system, appending the “.shadowroot” extension to each compromised file. Victims are subsequently presented with a ransom note in Turkish, directing them to initiate contact with the threat actors via email for further instructions regarding ransom payment and decryption.

The ransomware establishes an SMTP command and control (C2) connection to smtp[.]mail[.]ru on port 587, sending details to suspicious email accounts associated with “kurumsal[.]tasilat @internet[.]ru”.

ShadowRoot appears to be a relatively rudimentary ransomware variant, likely the product of an inexperienced developer. Despite its basic functionality, the ransomware effectively targets Turkish businesses by exploiting fake PDF invoices to lure victims into downloading malicious payloads. The encryption of files with the “.ShadowRoot” extension and connection to a Russian SMTP server indicate a targeted and somewhat sophisticated approach.

The Forcepoint X-Labs Research Team urges businesses to remain vigilant and employ robust email security measures to mitigate the risk of such ransomware attacks. As cyber threats continue to evolve, maintaining up-to-date security protocols and educating employees about phishing tactics are essential steps in safeguarding against potential breaches.

Source: https://securityonline.info/shadowroot-ransomware-targets-turkish-businesses


“An interesting youtube video that may be related to the article above”