Researchers at security giant Kaspersky Lab have discovered a new variant of the SynAck ransomware Trojan that employs a Doppelg"anging technique to bypass anti-virus measures by hiding itself in legitimate processes.
Process Doppelg"anging is a code injection technique that abuses the Windows mechanism of NTFS transactions to create and conceal malicious processes, in an attempt to avoid detection by anti-virus solutions.
By manipulating how Windows handles file transactions, cyber criminals can disguise their activity as harmless, legitimate processes, even if the code they are using is known to be malicious. This technique leaves no real trail in its wake, making detection near impossible.
A first in the wild
According to the company, this is the first time the Doppelg"anging technique has been seen in ransomware in the wild. The threat actors responsible for SynAck also use other tricks to avoid detection and analysis, such as obfuscating the executable code prior to compilation, rather than packing it like most other ransomware. This makes it harder for researchers to reverse-engineer and analyse.
Upon installation, it reviews the directory its executable code is started from, and if it notices an attempt to launch it from an 'incorrect' directory, such as a potential automated sandbox, it exits. It also exits without execution if the victim PC has a keyboard set to Cyrillic script.
Finally, the researchers say, before encrypting files on a target device, SynAck checks the hashes of all running processes and services against its own hard coded list. If it finds a match, it tries to kill the process. Processes blocked in this way include virtual machines, office applications, script interpreters, database applications, backup systems, gaming applications and more - possibly to make it easier to seize valuable files that might otherwise be tied up into the running processes.
SynAck was first discovered in the spring of 2017, and in December was seen to be targeting mostly English-speaking users with remote desktop protocol (RDP) brute-force attacks, followed by the manual download and installation of malware.
Kaspersky Lab believes attacks using this new tool are highly targeted. To date, they have noted a limited number of attacks in the US, Kuwait, Germany and Iran, with ransom demands of $3 000.
A never-ending race
Anton Ivanov, lead malware analyst at Kaspersky Lab, says the race between attackers and defenders in cyberspace is a never-ending one. "The ability of the Process Doppelg"anging technique to sneak malware past the latest security measures represents a significant threat, and one that has quickly been seized upon by attackers. Our research shows how the relatively low-profile targeted ransomware SynAck used the technique to upgrade its stealth and infection capability. Fortunately, the detection logic for this ransomware was implemented before it appeared in the wild."
To keep devices safe from this scourge, Kaspersky Lab recommends several actions, including regularly backing up data, employing a reliable security solution that is powered with behaviour detection and able to roll back malicious actions, and keeping software updated on all devices.
For businesses, the security company advises educating employees and IT teams, and keeping sensitive data separate with access restricted.
"If you are unlucky enough to fall victim to ransomware, don't panic. Use a clean system to check our No More Ransom site - you may well find a decryption tool that can help you get your files back," the company concludes.
Share