ShadowRoot Ransomware Targeting Turkish Businesses

July 15, 2024, 3:54 p.m.

Description

An analysis reveals a basic ransomware campaign targeting Turkish enterprises. The attack commences with a malicious PDF attachment delivered via email, containing a link that downloads an executable payload. This executable then drops further components, including a .NET binary obfuscated with dotnet confuser. The malware recursively encrypts files with the .shadowroot extension and communicates with a Russian SMTP server. While exhibiting fundamental functionality, this campaign appears to be the work of an inexperienced actor aiming to extort victims through ransom demands.

External References

https://www.forcepoint.com/blog/x-labs/shadowroot-ransomware-targeting-turkish-businesses
https://otx.alienvault.com/pulse/66953f54e05804948ee2cc54
Tags
ransomware
2024-07-15
türkiye

Date

  • Created: July 15, 2024, 3:25 p.m.
  • Published: July 15, 2024, 3:25 p.m.
  • Modified: July 15, 2024, 3:54 p.m.

Indicators

  • ran_master_som@proton.me
  • lasmuruk@mailfence.com
  • kurumsal.tasilat@internet.ru
Download all indicators here!

Attack Patterns

  • ShadowRoot

Additional Informations

  • Türkiye