A ransomware strain coined “ShadowRoot” has been found targeting Turkish businesses through phishing attacks.
The phishing emails contain a PDF attachment disguised as an invoice with embedded malicious links. Upon user interaction, this triggers a download of a RootDesign.exe file hosted on a compromised GitHub account.
The downloaded file is a Delphi binary and, according to researchers at Forcepoint who analyzed the exe, it drops further payloads: “C:TheDreamRootDesign.exe,” “C:TheDreamUninstall.exe” and “C:TheDreamUninstall.ini”.
“We have observed recursive self-process creation by RootDesign.exe, which causes the files to get encrypted multiple times, resulting in higher memory consumption,” the researchers said. “It also drops many copies of encrypted files on the root.”
They add that the ransomware appears “rudimentary” and likely the work belonging to an inexperienced developer.
In addition to user awareness for defense, the researchers recommend blocking the following email addresses to prevent being targeted by the Shadowroot threat actors:
-
Kurumsal[.]tasilat[@]internet[.]ru
-
ran_master_som[@]proton[.]me
-
lasmuruk[@]mailfence[.]com
https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt244b5464f189bebb/669689c8eb4f37209235d560/turkey(1800)_imageBROKER.com_GmbH_&_Co._KG_alamy.jpg?disable=upscale&width=1200&height=630&fit=crop
