Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,334
- Points
- 113
Healthcare and online commerce were the most affected by hackers.
The X-Labs research team, operating under the wing of ForcePoint, has discovered and identified a new type of ransomware targeting Turkish businesses.
The attack starts with a PDF attachment distributed through suspicious emails. The PDF file contains a link that downloads a further executable file from the compromised GitHub account.
The downloaded file is a 32-bit binary compiled using Borland Delphi 4.0. After running, it unpacks and places additional files in the "C" directory.:\TheDream\", including "RootDesign.exe", "Uninstall.exe" and "Uninstall. ini". Secondary file "RootDesign.exe" protected with .NET Confuser. Core version 1.6.
The file's classes and functions are protected by obfuscation, which allows you to bypass traditional malware detection methods. After unpacking the malware, it runs the PowerShell command for hidden execution "RootDesign.exe".
The running file creates many copies of itself in memory, which increases the system resource consumption. It encrypts critical system and office files by assigning them the extension". shadowRoot". A log is created in the root directory "log.txt", which records all actions of the program.
Encrypted files are accompanied by a text file "readme.txt" containing ransom demands in Turkish. The text does not specify the details of the crypto wallet, but victims are invited to contact via the specified email address for further instructions on payment and decryption.
The malware targets Turkish companies, particularly targeting businesses in the healthcare and online retail sectors. Hackers use fake PDF invoices for distribution. The program uses simple encryption methods and has very basic functionality, so the researchers suggested that it was created by inexperienced attackers.
The incident serves as a reminder that even simple and seemingly unprofessional attacks can cause serious damage if the organization is not prepared for them. Regularly updating security systems, conducting information security training, and creating a culture of caution when dealing with email and suspicious attachments can significantly reduce the risk of successful ransomware attacks.
Source
The X-Labs research team, operating under the wing of ForcePoint, has discovered and identified a new type of ransomware targeting Turkish businesses.
The attack starts with a PDF attachment distributed through suspicious emails. The PDF file contains a link that downloads a further executable file from the compromised GitHub account.
The downloaded file is a 32-bit binary compiled using Borland Delphi 4.0. After running, it unpacks and places additional files in the "C" directory.:\TheDream\", including "RootDesign.exe", "Uninstall.exe" and "Uninstall. ini". Secondary file "RootDesign.exe" protected with .NET Confuser. Core version 1.6.
The file's classes and functions are protected by obfuscation, which allows you to bypass traditional malware detection methods. After unpacking the malware, it runs the PowerShell command for hidden execution "RootDesign.exe".
The running file creates many copies of itself in memory, which increases the system resource consumption. It encrypts critical system and office files by assigning them the extension". shadowRoot". A log is created in the root directory "log.txt", which records all actions of the program.
Encrypted files are accompanied by a text file "readme.txt" containing ransom demands in Turkish. The text does not specify the details of the crypto wallet, but victims are invited to contact via the specified email address for further instructions on payment and decryption.
The malware targets Turkish companies, particularly targeting businesses in the healthcare and online retail sectors. Hackers use fake PDF invoices for distribution. The program uses simple encryption methods and has very basic functionality, so the researchers suggested that it was created by inexperienced attackers.
The incident serves as a reminder that even simple and seemingly unprofessional attacks can cause serious damage if the organization is not prepared for them. Regularly updating security systems, conducting information security training, and creating a culture of caution when dealing with email and suspicious attachments can significantly reduce the risk of successful ransomware attacks.
Source
