Our X-Labs team’s research seems to have discovered and identified basic ransomware targeting Turkish businesses. The attack vector initiates through a PDF attachment disseminated via suspicious emails originating from the "internet[.]ru" domain. The embedded links within the PDF facilitate the download of a subsequent stage exe payload upon user interaction. It encrypts files with “.shadowroot” extension.  Currently, ransomware is actively targeting numerous businesses worldwide, including those in the healthcare and online shopping sectors.

Initial Access:

This pdf contains a URL link, which downloads further exe payload from a compromised GitHub account.

hxxps://raw[.]githubusercontent[.]com/kurumsaltahsilat/detayfatura/main/PDF.FaturaDetay_202407.exe

Execution of stage payloads:

The download file is a 32 bit Borland Delphi 4.0 compiled binary. While analyzing exe, it is observed that it drops further payload in “C:\TheDream\RootDesign.exe”, “C:\TheDream\Uninstall.exe” and “C:\TheDream\Uninstall.ini”.

Dropped second stage rootdesign.exe is protected with dotnet confuser core ver 1.6.

We can see classes with random names having special characters and all function names are obfuscated. It is mostly preferred by malware authors to bypass traditional detection techniques of security applications and it is an open-source protector for .NET applications.

PDF.FaturaDetay_202407.exe after dropping payload it initiates PowerShell to run another hidden PowerShell command to execute RootDesign.exe in hidden mode.

Command:

“”C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe”

Created mutants/mutex:

Local\ZonesCacheCounterMutex

Local\ZonesLockedCacheCounterMutex

_SHuassist.mtx

This dropped file then creates its recursive threads of itself in memory with new PIDs and starts performing encryption.

It logs its every thread activity on root “C:\TheDream\log.txt” by adding a new line comment “ApproveExit.dot”. Its recursive threads also increase memory consumption.

After this it will start performing, encrypting various system-critical non-pe and office files and renaming those files with “.ShadowRoot” extension, dropping readme.txt.

Readme.txt shows ransom notes in Turkish and encrypted files are dropped on desktop.

There is no direct crypto wallet ID info mentioned, but it is asking victims via readme to contact via the provided email address for further payment processing via crypto wallet and decryption tools.

We have observed recursive self-process creation by RootDesign.exe, which causes the files to get encrypted multiple times, resulting in higher memory consumption. It also drops many copies of encrypted files on the root. As highlighted in the screenshot the file extensions are also appended multiple times. 
Standard AESCryptoServiceProvider .Net class is observed in the code. 

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.