SOC Incident Toolkit
Back to Campaigns
ShadowRoot Campaign: The Dark Wave of Cyber Attacks on Turkey's Business Sector

ShadowRoot Campaign: The Dark Wave of Cyber Attacks on Turkey's Business Sector

ShadowRootTurkishBusinessesPhishing

The ShadowRoot ransomware campaign targets Turkish entities through phishing emails with malicious PDF attachments disguised as invoices from a Russian domain. The attack begins with downloading an executable file from a compromised GitHub repository, which includes a Delphi binary that conceals the ransomware payload, "RootDesign.exe." This payload encrypts files with the “.shadowroot” extension and sends information to a Russian SMTP server, demanding an email ransom from the victims.

Indicators of Compromise

Hashes (2)

cd8fbf0dcdd429c06c80b124caf574334504e99a1c9629aeb0e6dbe48f9965d87c64a7b8750bbf93

Notes

<div><b>CONCLUSION</b></div><div>The ShadowRoot ransomware campaign targets Turkish businesses by disseminating deceptive PDF invoices, prompting recipients to interact with malicious links. Upon clicking, a Delphi payload is downloaded, then a .NET Confuser-protected binary is deployed to facilitate further malicious activities. The ransomware encrypts files with the “.ShadowRoot” extension and establishes a connection to a Russian SMTP mail server. This campaign demonstrates rudimentary characteristics, likely indicating the involvement of an inexperienced developer, as it exhibits basic yet effective functionalities.</div><div><br></div>

Mitigation

<div><font color="#000000"><span style="font-size: 14.6667px;"><b>MITRE ATT&amp;CK Matrix Mapping:</b></span></font></div><div><ul><li><font color="#000000"><span style="font-size: 14.6667px;"><b>Initial Access</b></span></font></li></ul></div><div style="text-align: left;"><font color="#000000"><span style="font-size: 14.6667px;"><b>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; T1566.001 -</b> Phishing: Spearphishing Attachment</span></font></div><div style="text-align: left;"><font color="#000000"><span style="font-size: 14.6667px;"><b>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; T1203 - </b>Exploitation for Client Execution</span></font></div><div><ul><li><font color="#000000"><span style="font-size: 14.6667px;"><b>Execution</b></span></font></li></ul></div><div style="text-align: left;"><font color="#000000"><span style="font-size: 14.6667px;"><b>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; T1059.001 - </b>Command and Scripting Interpreter: PowerShell</span></font></div><div style="text-align: left;"><font color="#000000"><span style="font-size: 14.6667px;"><b>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; T1064 - </b>Scripting</span></font></div><div><ul><li><font color="#000000"><span style="font-size: 14.6667px;"><b>Persistence</b></span></font></li></ul></div><div><font color="#000000"><span style="font-size: 14.6667px;"><b>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; T1547.001 - </b>Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</span></font></div><div><font color="#000000"><span style="font-size: 14.6667px;"><b>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; T1078 - </b>Valid Accounts</span></font></div><div><ul><li><font color="#000000"><span style="font-size: 14.6667px;"><b>Privilege Escalation</b></span></font></li></ul></div><div><font color="#000000"><span style="font-size: 14.6667px;"><b>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; T1068</b> - Exploitation for Privilege Escalation</span></font></div><div><ul><li><font color="#000000"><span style="font-size: 14.6667px;"><b>Defense Evasion</b></span></font></li></ul></div><div><font color="#000000"><span style="font-size: 14.6667px;"><b>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; T1562.001 -</b> Impair Defenses: Disable or Modify Tools</span></font></div><div><ul><li><font color="#000000"><span style="font-size: 14.6667px;"><b>Credential Access</b></span></font></li></ul></div><div><font color="#000000"><span style="font-size: 14.6667px;"><b>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; T1003 - </b>OS Credential Dumping</span></font></div><div><ul><li><font color="#000000"><span style="font-size: 14.6667px;"><b>Discovery</b></span></font></li></ul></div><div><font color="#000000"><span style="font-size: 14.6667px;"><b>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; T1083 - </b>File and Directory Discovery</span></font></div><div><font color="#000000"><span style="font-size: 14.6667px;"><b>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; T1012 -</b> Query Registry</span></font></div><div><ul><li><font color="#000000"><span style="font-size: 14.6667px;"><b>Lateral Movement</b></span></font></li></ul></div><div><font color="#000000"><span style="font-size: 14.6667px;"><b>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; T1075 - </b>Pass the Hash</span></font></div><div><ul><li><font color="#000000"><span style="font-size: 14.6667px;"><b>Collection</b></span></font></li></ul></div><div><font color="#000000"><span style="font-size: 14.6667px;"><b>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; T1114 - </b>Email Collection</span></font></div><div><ul><li><font color="#000000"><span style="font-size: 14.6667px;"><b>Command and Control</b></span></font></li></ul></div><div><font color="#000000"><span style="font-size: 14.6667px;"><b>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; T1071.001 -</b> Application Layer Protocol: Web Protocols</span></font></div><div><ul><li><font color="#000000"><span style="font-size: 14.6667px;"><b>Exfiltration</b></span></font></li></ul></div><div><font color="#000000"><span style="font-size: 14.6667px;"><b>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; T1041 - </b>Exfiltration Over C2 Channel</span></font></div><div><font color="#000000"><span style="font-size: 14.6667px;"><br></span></font></div><div><font color="#000000"><span style="font-size: 14.6667px;"><b>Mitigation</b></span></font></div><div><ul><li><font color="#000000"><span style="font-size: 14.6667px;"><b>Implement Multi-Factor Authentication (MFA): </b>To secure system access and reduce the risk of unauthorized entry.</span></font></li><li><font color="#000000"><span style="font-size: 14.6667px;"><b>Regularly Update and Patch Systems:</b> Ensures vulnerabilities exploited by the attackers are closed.</span></font></li><li><font color="#000000"><span style="font-size: 14.6667px;"><b>Employee Training on Phishing: </b>Educate employees on recognizing and reporting phishing attempts.</span></font></li><li><font color="#000000"><span style="font-size: 14.6667px;"><b>Use Endpoint Protection Solutions: </b>Deploy solutions that detect and prevent advanced malware and ransomware.</span></font></li><li><font color="#000000"><span style="font-size: 14.6667px;"><b>Network Segmentation:</b> Limits the spread of malware within a network.</span></font></li></ul></div><div><br></div>