X-Labs research has identified a new ransomware targeting Turkish businesses, where the attack vector involves phishing emails with malicious PDF attachments from the internet.ru domain.
Embedded links within the PDF redirect users to a compromised GitHub account to download an executable payload, which encrypts files with the “.shadowroot” extension upon execution.
The 32-bit Borland Delphi 4.0 executable deploys secondary payloads upon execution, which consist of executable files named RootDesign.exe and Uninstall.exe, along with a configuration file named Uninstall.ini, where all dropped files reside within the “C:\TheDream” directory.
The PDF.FaturaDetay_202407.exe file employs an open-source .NET obfuscator to mask its malicious behavior and uses randomly generated class and function names with special characters to evade detection.
The executable drops a payload and leverages PowerShell to execute the RootDesign.exe file in stealth mode, indicating potential harmful activity, which is a common tactic used by malware authors to bypass security applications.
An executable named “RootDesign.exe” is launched from the “C:\TheDream” directory following the execution of a PowerShell script that is hidden from view.
The script operates in the background and creates three mutexes: “Local\ZonesCacheCounterMutex”, “Local\ZonesLockedCacheCounterMutex”, and “_SHuassist.mtx” for potential inter-process synchronization or resource locking.
The dropped file spawns recursive child processes with unique process IDs, consuming increasing memory resources. Simultaneously, it encrypts various non-privileged system and office files, renaming them with the “.ShadowRoot” extension.
Concurrently, the file logs thread activities to “C:\TheDream\log.txt” by appending “ApproveExit.dot” to each new line, providing a record of its actions. Additionally, it drops a “readme.txt” file.
According to ForcePoint, a ransomware attack targeting Turkish systems has been observed, deploying Turkish ransom notes and encrypting files with an AESCryptoServiceProvider-based algorithm.
The malware, RootDesign.exe, exhibits recursive behavior, repeatedly encrypting files, multiplying file copies, and appending extensions, leading to performance degradation.
While the ransom note demands payment in cryptocurrency, no direct wallet details are provided, requiring victims to contact the attackers for further instructions.
At the external server smtp[.]mail[.]ru, the malicious software creates a Command and Control (C2) connection by using the Simple Mail Transfer Protocol (SMTP) on port 587.
For the purpose of execution, this malicious actor makes use of the.NET framework and PowerShell scripting languages, which indicates that they may have the ability to interact with multiple platforms.