ShadowRoot Ransomware Targeting Turkish Businesses
July 15, 2024, 3:54 p.m.
Tags
External References
Description
An analysis reveals a basic ransomware campaign targeting Turkish enterprises. The attack commences with a malicious PDF attachment delivered via email, containing a link that downloads an executable payload. This executable then drops further components, including a .NET binary obfuscated with dotnet confuser. The malware recursively encrypts files with the .shadowroot extension and communicates with a Russian SMTP server. While exhibiting fundamental functionality, this campaign appears to be the work of an inexperienced actor aiming to extort victims through ransom demands.
Date
Published: July 15, 2024, 3:25 p.m.
Created: July 15, 2024, 3:25 p.m.
Modified: July 15, 2024, 3:54 p.m.
Indicators
ran_master_som@proton.me
lasmuruk@mailfence.com
kurumsal.tasilat@internet.ru
Attack Patterns
ShadowRoot
T1085
T1064
T1105
T1496
T1055
T1192
T1204
T1485
T1059
Additional Informations
Türkiye