Researchers have identified a new variant of the SynAck ransomware that is now using the newly identified Process Doppelgänging to slip past antivirus programs. Researchers said this is the first ransomware seen in the wild to employ the approach.
Both SynAck ransomware and Process Doppelgänging are relatively new. The latter was discovered by Ensilo researchers, which presented their research at the London Black Hat 2017 security conference in December. The technique is similar to the hacker method known as Process Hollowing, where adversaries replace the memory of a legitimate process with malicious code, thereby evading antivirus process monitoring tools.
With Process Doppelgänging, the result is the same; however, attackers abuse Windows NTFS transactions and an outdated implementation of the Windows process loader. “The main purpose of the technique is to use NTFS transactions to launch a malicious process from the transacted file so that the malicious process looks like a legitimate one,” wrote Anton Ivanov, Fedor Sinitsyn and Orkhan Mamedov, security researchers with Kaspersky Lab, in a co-authored technical write-up posted Monday.
SynAck ransomware meanwhile first made a splash in Sept. 2017 when cybercriminals used it in an effective campaign to target open or badly-secured RDP connections. More than 100 victims were infected in the short but destructive campaign.
Since then, SynAck has matured. This latest sample found by Kaspersky Lab have two noteworthy features added to avoid detection.
“First, [SynAck] checks if it’s installed in the right directory. If it’s not, it doesn’t run,” researchers noted. “Second, SynAck checks if it’s installed on a computer with a keyboard set to a certain script — in this case, Cyrillic — in which case it also does nothing.” Both of these are attempts by the malware author to avoid running in an antivirus lab environment or on systems from a specific region, such as Russia, Serbia or Ukraine.
Kaspersky said those behind SynAck are making use of Process Doppelgänging’s non-standard packaging technique to hide malicious code from detection by antivirus software. One of the ways to do that is by forgoing the use of custom PE packers to protect the original code of the trojan executable.
“The trojan executable is not packed; instead, it is thoroughly obfuscated prior to compilation. As a result, the task of reverse engineering is considerably more complicated with SynAck than it is with other recent ransomware strains,” researchers wrote.
The latest attacks are highly targeted, say researchers, with a limited number of attacks observed against targets in the U.S., Kuwait, Germany and Iran. Ransom demands can be as high as $3,000. Files are encrypted by the AES-256-ECB algorithm with a randomly generated key; and post-encryption, files have randomly generated extensions.
“The ability of the Process Doppelgänging technique to sneak malware past the latest security measures represents a significant threat; one that has, not surprisingly, quickly been seized upon by attackers,” Ivanov said, in a statement. “Our research shows how the relatively low-profile, targeted ransomware SynAck used the technique to upgrade its stealth and infection capability.”