_imageBROKER.com_GmbH_&_Co._KG_alamy.jpg?disable=upscale&width=1200&height=630&fit=crop)
July 16, 2024 at 12:05PM
The “ShadowRoot” ransomware strain targets Turkish businesses through phishing emails containing a disguised PDF invoice with embedded malicious links. When interacted with, the email triggers a download of a malicious file that further drops encrypted files and utilizes higher memory consumption. The researchers recommend user awareness and blocking specific email addresses for defense.
Key takeaways from the meeting notes:
– A new ransomware strain called “ShadowRoot” is targeting Turkish businesses through phishing attacks.
– The phishing emails contain a PDF attachment disguised as an invoice with embedded malicious links, leading to a download of a RootDesign.exe file hosted on a compromised GitHub account.
– Upon analysis by Forcepoint researchers, the RootDesign.exe file was identified as a Delphi binary and was found to drop additional payloads, including “C:\TheDream\RootDesign.exe,” “C:\TheDream\Uninstall.exe,” and “C:\TheDream\Uninstall.ini”.
– The ransomware exhibits recursive self-process creation, resulting in higher memory consumption, and drops multiple encrypted files on the root.
– According to the researchers, the ransomware appears to be “rudimentary” and likely the work of an inexperienced developer.
– For defense, it is recommended to prioritize user awareness and to block specific email addresses associated with the Shadowroot threat actors:
– Kurumsal[.]tasilat[@]internet[.]ru
– ran_master_som[@]proton[.]me
– lasmuruk[@]mailfence[.]com