ShadowRoot Ransomware Targeting Turkish Businesses

July 15, 2024, 3:54 p.m.

Description

An analysis reveals a basic ransomware campaign targeting Turkish enterprises. The attack commences with a malicious PDF attachment delivered via email, containing a link that downloads an executable payload. This executable then drops further components, including a .NET binary obfuscated with dotnet confuser. The malware recursively encrypts files with the .shadowroot extension and communicates with a Russian SMTP server. While exhibiting fundamental functionality, this campaign appears to be the work of an inexperienced actor aiming to extort victims through ransom demands.

Date

Published: July 15, 2024, 3:25 p.m.

Created: July 15, 2024, 3:25 p.m.

Modified: July 15, 2024, 3:54 p.m.

Indicators

ran_master_som@proton.me

lasmuruk@mailfence.com

kurumsal.tasilat@internet.ru

Attack Patterns

ShadowRoot

T1085

T1064

T1105

T1496

T1055

T1192

T1204

T1485

T1059

Additional Informations

Türkiye