Kaspersky Lab researchers have discovered a new variant of the SynAck ransomware Trojan using the Doppelgänging technique to bypass anti-virus security by hiding in legitimate processes. This is the first time the Doppelgänging technique has been seen in ransomware in the wild.

 

The developers behind SynAck also implement other tricks to evade detection and analysis: obfuscating all malware code prior to sample compilation and exiting if signs suggest it is being launched in a sandbox.

 

The SynAck ransomware has been known since the autumn of 2017, and in December was observed targeting mainly English-speaking users with remote desktop protocol (RDP) brute-force attacks followed by the manual download and installation of malware. The new variant uncovered by Kaspersky Lab researchers implements a far more sophisticated approach, using the Process Doppelgänging technique to evade detection.

 

Reported in December 2017, Process Doppelgänging involves a fileless code injection that takes advantage of a built-in Windows function and an undocumented implementation of the Windows process loader. By manipulating how Windows handles file transactions, attackers can pass off malicious actions as harmless, legitimate processes, even if they are using known malicious code. Doppelgänging leaves no traceable evidence behind, making this type of intrusion extremely difficult to detect. This is the first time ransomware has been observed using this technique in-the-wild.

 

Other noteworthy features of the new variant of SynAck include:

  • The Trojan obfuscates its executable code prior to compilation, rather than packing it like most other ransomware, making it harder for researchers to reverse engineer and analyze the malicious code.
  • It also obscures the links to the necessary API function, and stores hashes to strings rather than the actual strings.
  • Upon installation, the Trojan reviews the directory its executable is started from, and if it spots an attempt to launch it from an ‘incorrect’ directory – such as a potential automated sandbox – it exits.
  • The malware also exits without execution if the victim PC has a keyboard set to Cyrillic script.
  • Before encrypting files on a victim device, SynAck checks the hashes of all running processes and services against its own hard coded list. If it finds a match, it tries to kill the process. Processes blocked in this way include virtual machines, office applications, script interpreters, database applications, backup systems, gaming applications and more  – possibly to make it easier to seize valuable files which might otherwise be tied up into the running processes.

 

Researchers believe attacks using this new variant of SynAck are highly targeted. To date, they have observed a limited number of attacks in the U.S., Kuwait, Germany, and Iran, with ransom demands of $3,000 USD.

 

The race between attackers and defenders in cyberspace is a never-ending one. The ability of the Process Doppelgänging technique to sneak malware past the latest security measures represents a significant threat; one that has, not surprisingly, quickly been seized upon by attackers. Our research shows how the relatively low profile targeted ransomware SynAck used the technique to upgrade its stealth and infection capability. Fortunately, the detection logic for this ransomware was implemented before it appeared in the wild,” said Anton Ivanov, Lead Malware Analyst, Kaspersky Lab

 

Kaspersky Lab detects this variant of the SynAck ransomware as:

 

Trojan-Ransom.Win32.Agent.abwa
Trojan-Ransom.Win32.Agent.abwb
PDM:Trojan.Win32.Generic

 

Kaspersky Lab recommends the following actions to keep users and devices safe from ransomware:

  • Back up data regularly.
  • Use a reliable security solution that is powered with behaviour detection and able
    to roll back malicious actions.
  • Always keep software updated on all the devices you use.
  • If you’re a business, you should also educate your employees and IT teams; and
    keep sensitive data separate with access restricted. Use dedicated security
    solution, such as Kaspersky Endpoint Security for Business.
  • If you are unlucky enough to fall victim to an encryptor, don’t panic. Use a clean
    system to check our No More Ransom site; you may well find a decryption tool
    that can help you get your files back.

 

To learn more about the fake new variant of SynAck, read our blogpost on Securelist.com.


RECOMMENDED ARTICLE FOR TECHWORLD


 
Transcend® Offers a New Perspective with the DrivePro Body 60 Body Camera
Techworld Date Posted: 5 June 2018 10:44 AM | 256 Views
Transcend® Information, Inc. (Transcend®), a leading manufacturer of storage and multimedia products, proudly introduces the DrivePro Body 60 body camera. This state-of-the-art POV tethered camera is designed specifically for military and public safety professionals.... See More
 
Transcend® Offers a New Perspective with the DrivePro Body 60 Body Camera
Techworld Date Posted: 10:44 AM | 256 Views
Transcend® Information, Inc. (Transcend®), a leading manufacturer of storage and multimedia products, proudly introduces the DrivePro Body 60 body camera. This state-of-the-art POV tethered camera is designed specifically for military and public safety professionals...See More

 
Fortinet Reports Third Quarter 2018 Financial Results
Techworld Date Posted: 6 November 2018 4:07 PM | 140 Views
Fortinet® (Nasdaq: FTNT), a global leader in broad, integrated and automated cybersecurity solutions, has announced financial results for the third quarter of 2018.. See More
 
Fortinet Reports Third Quarter 2018 Financial Results
Techworld Date Posted: 4:07 PM | 140 Views
Fortinet® (Nasdaq: FTNT), a global leader in broad, integrated and automated cybersecurity solutions, has announced financial results for the third quarter of 2018.See More

 
HMD Global Raises USD 100 Million to Fuel Its Next Phase of Growth
Techworld Date Posted: 23 May 2018 11:19 AM | 227 Views
Finland based start-up, HMD Global, the home of Nokia phones, today announced that it has raised additional USD 100 million from multiple investors to scale business operations and fund the company’s growth in its.... See More
 
HMD Global Raises USD 100 Million to Fuel Its Next Phase of Growth
Techworld Date Posted: 11:19 AM | 227 Views
Finland based start-up, HMD Global, the home of Nokia phones, today announced that it has raised additional USD 100 million from multiple investors to scale business operations and fund the company’s growth in its...See More

 
Fortinet Reports Third Quarter 2017 Financial Results
Techworld Date Posted: 27 October 2017 5:15 PM | 287 Views
Fortinet® (NASDAQ: FTNT), a global leader in high-performance cyber security solutions, today announced financial results for the third quarter ended September 30, 2017.. See More
 
Fortinet Reports Third Quarter 2017 Financial Results
Techworld Date Posted: 5:15 PM | 287 Views
Fortinet® (NASDAQ: FTNT), a global leader in high-performance cyber security solutions, today announced financial results for the third quarter ended September 30, 2017.See More

PCBG Contributing Writer
Machine Learning AI vs Employee Vigilance
Techworld • By: PCBG Contributing Writer | Date Posted: 1 August 2017 9:43 AM | 453 Views
Here we are again. Man versus machine. On one corner, we have the machine capable of reading huge amounts of data in so little time, and on the other, an employee who knows nothing.... See More
PCBG Contributing Writer
Machine Learning AI vs Employee Vigilance
Techworld • By: PCBG Contributing Writer | Date Posted: 9:43 AM | 453 Views
Here we are again. Man versus machine. On one corner, we have the machine capable of reading huge amounts of data in so little time, and on the other, an employee who knows nothing...See More

PC Buyers Guide
Kaspersky Lab named a Champion in Canalys Leadership Matrix for APAC in Q1 2018
Techworld • By: PC Buyers Guide | Date Posted: 26 March 2018 4:16 PM | 366 Views
Kaspersky Lab has been positioned in the Champions quadrant of the Canalys Leadership Matrix for Asia Pacific in 2018. As a Champion, Kaspersky lab achieved the highest scores from its partners in 10 areas.... See More
PC Buyers Guide
Kaspersky Lab named a Champion in Canalys Leadership Matrix for APAC in Q1 2018
Techworld • By: PC Buyers Guide | Date Posted: 4:16 PM | 366 Views
Kaspersky Lab has been positioned in the Champions quadrant of the Canalys Leadership Matrix for Asia Pacific in 2018. As a Champion, Kaspersky lab achieved the highest scores from its partners in 10 areas...See More

 
Dreaming of #FindingParadise this summer? Power Mac Center gives you a chance to win a trip to El Nido!
Techworld Date Posted: 5 May 2018 3:55 PM | 267 Views
Summer days are made for adventure and fun and luckily for us, the Philippines has no shortage of beautiful places to discover. This summer, Power Mac Center (PMC) is giving you a chance to.... See More
 
Dreaming of #FindingParadise this summer? Power Mac Center gives you a chance to win a trip to El Nido!
Techworld Date Posted: 3:55 PM | 267 Views
Summer days are made for adventure and fun and luckily for us, the Philippines has no shortage of beautiful places to discover. This summer, Power Mac Center (PMC) is giving you a chance to...See More

 
NVIDIA® Releases Game Ready Driver for Fortnite Battle Royale and NVIDIA® Freestyle BETA
Techworld Date Posted: 11 January 2018 8:57 AM | 247 Views
NVIDIA® has released a new Game Ready Driver for Fortnite Battle Royale. The driver also supports NVIDIA®’s newest GeForce® Experience beta feature, Freestyle.   Available on or before launch day, NVIDIA® Game Ready Drivers.... See More
 
NVIDIA® Releases Game Ready Driver for Fortnite Battle Royale and NVIDIA® Freestyle BETA
Techworld Date Posted: 8:57 AM | 247 Views
NVIDIA® has released a new Game Ready Driver for Fortnite Battle Royale. The driver also supports NVIDIA®’s newest GeForce® Experience beta feature, Freestyle.   Available on or before launch day, NVIDIA® Game Ready Drivers...See More

 
10 Years in the Making: NVIDIA® Brings Real-Time Ray Tracing to Gamers with GeForce® RTX™
Techworld Date Posted: 22 August 2018 2:04 PM | 248 Views
NVIDIA® has unveiled the GeForce® RTX™ series, the first gaming GPUs based on the new NVIDIA® Turing™ architecture and the NVIDIA® RTX™ platform, which fuses next-generation shaders with real-time ray tracing and all-new AI.... See More
 
10 Years in the Making: NVIDIA® Brings Real-Time Ray Tracing to Gamers with GeForce® RTX™
Techworld Date Posted: 2:04 PM | 248 Views
NVIDIA® has unveiled the GeForce® RTX™ series, the first gaming GPUs based on the new NVIDIA® Turing™ architecture and the NVIDIA® RTX™ platform, which fuses next-generation shaders with real-time ray tracing and all-new AI...See More

 
Kaspersky Lab Launches ‘Secure Your Ferrari Experience’ Competition in Asia Pacific
Techworld Date Posted: 23 September 2017 11:41 AM | 282 Views
Kaspersky Lab has launched the ‘Secure Your Ferrari Experience' for the second year running, offering five winners from Asia Pacific a chance to visit the Home of Ferrari in Maranello, Italy. The "Secure Your Ferrari.... See More
 
Kaspersky Lab Launches ‘Secure Your Ferrari Experience’ Competition in Asia Pacific
Techworld Date Posted: 11:41 AM | 282 Views
Kaspersky Lab has launched the ‘Secure Your Ferrari Experience' for the second year running, offering five winners from Asia Pacific a chance to visit the Home of Ferrari in Maranello, Italy. The "Secure Your Ferrari...See More


Power by

Download Free AZ | Free Wordpress Themes