A rudimentary ransomware targets Turkish businesses through phishing emails with “.ru” domain sender addresses. Clicking a PDF attachment’s link triggers downloading a malicious executable from a compromised GitHub account. The executable encrypts crucial files with the “.shadowroot” extension, highlighting a wider trend of ransomware attacks using phishing emails to deploy payloads, demonstrating the ongoing threat to various industries globally. malicious URL from pdf The analyzed executable is a malicious 32-bit Borland Delphi 4.0 binary that drops several files, including RootDesign.exe and Uninstall.exe, which are likely components of a malware program designed to infiltrate a system and carry out malicious activities.
Source: GBHackers