{
  "name": "ShadowRoot Ransomware Targeting Turkish Businesses",
  "slug": "shadowroot-ransomware-targeting-turkish-businesses",
  "description": "An analysis reveals a basic ransomware campaign targeting Turkish enterprises. The attack commences with a malicious PDF attachment delivered via email, containing a link that downloads an executable payload. This executable then drops further components, including a .NET binary obfuscated with dotnet confuser. The malware recursively encrypts files with the .shadowroot extension and communicates with a Russian SMTP server. While exhibiting fundamental functionality, this campaign appears to be the work of an inexperienced actor aiming to extort victims through ransom demands.",
  "published": "2024-07-15T13:25:08+00:00",
  "created_at": "2024-07-15T13:25:08+00:00",
  "modified_at": "2024-07-15T13:54:57+00:00",
  "created_at_opencti": "2024-07-15T13:25:08+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-07-15",
    "ransomware",
    "t\u00fcrkiye"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "ran_master_som@proton.me"
      },
      {
        "id": "",
        "name": "lasmuruk@mailfence.com"
      },
      {
        "id": "",
        "name": "kurumsal.tasilat@internet.ru"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:daa37e995d319ccf",
        "name": "ShadowRoot",
        "slug": "shadowroot"
      }
    ],
    "attack_patterns": [
      {
        "id": "045efc1e-cfa0-4e6e-b4cb-0e6c8dae4f62",
        "name": "T1085"
      },
      {
        "id": "4d36ebe8-4925-419a-bdd5-73f6427a975d",
        "name": "T1064"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "6d618903-d9f6-4747-aec2-7630f43c1908",
        "name": "T1496"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "804630c7-dda3-49df-9ac4-70bd1ad83e06",
        "name": "T1192"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "c1e3fabe-9e8b-4e8f-a1f8-bf23e234e770",
        "name": "T1485"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "T\u00fcrkiye"
      }
    ]
  },
  "external_refs": [
    "https://www.forcepoint.com/blog/x-labs/shadowroot-ransomware-targeting-turkish-businesses",
    "https://otx.alienvault.com/pulse/66953f54e05804948ee2cc54"
  ]
}