An analysis reveals a basic ransomware campaign targeting Turkish enterprises. The attack commences with a malicious PDF attachment delivered via email, containing a link that downloads an executable payload. This executable then drops further components, including a .NET binary obfuscated with dotnet confuser. The malware recursively encrypts files with the .shadowroot extension and communicates with a Russian SMTP server. While exhibiting fundamental functionality, this campaign appears to be the work of an inexperienced actor aiming to extort victims through ransom demands. Author: AlienVault
Related Tags:
T1085
T1064
ransomware
T1496
T1192
T1105
T1485
Türkiye
T1204
Associated Indicators:
CD8FBF0DCDD429C06C80B124CAF574334504E99A