Kaspersky Lab researchers have discovered a new variant of the SynAck ransomware Trojan using the Doppelgänging technique to bypass anti-virus security by hiding in legitimate processes. This is the first time the Doppelgänging technique has been seen in ransomware in the wild.

 

The developers behind SynAck also implement other tricks to evade detection and analysis: obfuscating all malware code prior to sample compilation and exiting if signs suggest it is being launched in a sandbox.

 

The SynAck ransomware has been known since the autumn of 2017, and in December was observed targeting mainly English-speaking users with remote desktop protocol (RDP) brute-force attacks followed by the manual download and installation of malware. The new variant uncovered by Kaspersky Lab researchers implements a far more sophisticated approach, using the Process Doppelgänging technique to evade detection.

 

Reported in December 2017, Process Doppelgänging involves a fileless code injection that takes advantage of a built-in Windows function and an undocumented implementation of the Windows process loader. By manipulating how Windows handles file transactions, attackers can pass off malicious actions as harmless, legitimate processes, even if they are using known malicious code. Doppelgänging leaves no traceable evidence behind, making this type of intrusion extremely difficult to detect. This is the first time ransomware has been observed using this technique in-the-wild.

 

Other noteworthy features of the new variant of SynAck include:

  • The Trojan obfuscates its executable code prior to compilation, rather than packing it like most other ransomware, making it harder for researchers to reverse engineer and analyze the malicious code.
  • It also obscures the links to the necessary API function, and stores hashes to strings rather than the actual strings.
  • Upon installation, the Trojan reviews the directory its executable is started from, and if it spots an attempt to launch it from an ‘incorrect’ directory – such as a potential automated sandbox – it exits.
  • The malware also exits without execution if the victim PC has a keyboard set to Cyrillic script.
  • Before encrypting files on a victim device, SynAck checks the hashes of all running processes and services against its own hard coded list. If it finds a match, it tries to kill the process. Processes blocked in this way include virtual machines, office applications, script interpreters, database applications, backup systems, gaming applications and more  – possibly to make it easier to seize valuable files which might otherwise be tied up into the running processes.

 

Researchers believe attacks using this new variant of SynAck are highly targeted. To date, they have observed a limited number of attacks in the U.S., Kuwait, Germany, and Iran, with ransom demands of $3,000 USD.

 

The race between attackers and defenders in cyberspace is a never-ending one. The ability of the Process Doppelgänging technique to sneak malware past the latest security measures represents a significant threat; one that has, not surprisingly, quickly been seized upon by attackers. Our research shows how the relatively low profile targeted ransomware SynAck used the technique to upgrade its stealth and infection capability. Fortunately, the detection logic for this ransomware was implemented before it appeared in the wild,” said Anton Ivanov, Lead Malware Analyst, Kaspersky Lab

 

Kaspersky Lab detects this variant of the SynAck ransomware as:

 

Trojan-Ransom.Win32.Agent.abwa
Trojan-Ransom.Win32.Agent.abwb
PDM:Trojan.Win32.Generic

 

Kaspersky Lab recommends the following actions to keep users and devices safe from ransomware:

  • Back up data regularly.
  • Use a reliable security solution that is powered with behaviour detection and able
    to roll back malicious actions.
  • Always keep software updated on all the devices you use.
  • If you’re a business, you should also educate your employees and IT teams; and
    keep sensitive data separate with access restricted. Use dedicated security
    solution, such as Kaspersky Endpoint Security for Business.
  • If you are unlucky enough to fall victim to an encryptor, don’t panic. Use a clean
    system to check our No More Ransom site; you may well find a decryption tool
    that can help you get your files back.

 

To learn more about the fake new variant of SynAck, read our blogpost on Securelist.com.


RECOMMENDED ARTICLE FOR TECHWORLD


 
Kaspersky Lab Teams Up with Cybersecurity Pros to Secure the Future of the Security Industry with SAS Unplugged
Techworld Date Posted: 29 March 2019 5:16 PM | 117 Views
In an effort to give back to the security research community, global cybersecurity company Kaspersky Lab is announcing the introduction of the newest component of its annual Security Analyst Summit (SAS) that aims to.... See More
 
Kaspersky Lab Teams Up with Cybersecurity Pros to Secure the Future of the Security Industry with SAS Unplugged
Techworld Date Posted: 5:16 PM | 117 Views
In an effort to give back to the security research community, global cybersecurity company Kaspersky Lab is announcing the introduction of the newest component of its annual Security Analyst Summit (SAS) that aims to...See More

 
Epson Inkjets Win Grand Prize for Excellence in Energy Efficiency and Conservation
Techworld Date Posted: 24 January 2019 5:22 PM | 123 Views
Seiko Epson Corporation (TSE: 6724, “Epson”) has been awarded The Director-General's Prize, The Agency for Natural Resources and Energy, for Epson's LX-10000F series and LX-7000F series of high-speed linehead inkjet multifunction printers sold in.... See More
 
Epson Inkjets Win Grand Prize for Excellence in Energy Efficiency and Conservation
Techworld Date Posted: 5:22 PM | 123 Views
Seiko Epson Corporation (TSE: 6724, “Epson”) has been awarded The Director-General's Prize, The Agency for Natural Resources and Energy, for Epson's LX-10000F series and LX-7000F series of high-speed linehead inkjet multifunction printers sold in...See More

 
Power Mac Center Opens Biggest Store in Festival Mall, Alabang
Techworld Date Posted: 15 December 2017 10:27 AM | 354 Views
Head south this weekend as premier Apple partner Power Mac Center is opening its biggest branch in the country yet. The brand new store and service center. See More
 
Power Mac Center Opens Biggest Store in Festival Mall, Alabang
Techworld Date Posted: 10:27 AM | 354 Views
Head south this weekend as premier Apple partner Power Mac Center is opening its biggest branch in the country yet. The brand new store and service centerSee More

 
Get the Best Deals for Your Family This Christmas with the PLDT Christmas 3 Bundle Promo
Techworld Date Posted: 21 December 2017 5:04 PM | 389 Views
It’s the season of gift-giving and PLDT has the perfect present for the digitally savvy and entertainment-loving Filipino families.. See More
 
Get the Best Deals for Your Family This Christmas with the PLDT Christmas 3 Bundle Promo
Techworld Date Posted: 5:04 PM | 389 Views
It’s the season of gift-giving and PLDT has the perfect present for the digitally savvy and entertainment-loving Filipino families.See More

 
Redefining the Food-And-Drink Business, One Print at a Time
Techworld Date Posted: 1 March 2019 4:36 PM | 102 Views
  Making siopao buns for her family and friends is a regular affair for Nelly Co. One day in a typical gathering at home in 1994, as she watches the familiar faces smile, laugh,.... See More
 
Redefining the Food-And-Drink Business, One Print at a Time
Techworld Date Posted: 4:36 PM | 102 Views
  Making siopao buns for her family and friends is a regular affair for Nelly Co. One day in a typical gathering at home in 1994, as she watches the familiar faces smile, laugh,...See More

 
MSI Philippines Joins the World of Consumer Electronics Expo (WOCEE)
Techworld Date Posted: 20 September 2017 9:20 AM | 295 Views
Manila, Philippines - Micro-Star International (MSI Gaming) will be participating in the World Consumer Electronics Expo organized by WorldBex this September 21 to 24, 2017 at World Trade Center, Pasay City. 11am to 6pm,.... See More
 
MSI Philippines Joins the World of Consumer Electronics Expo (WOCEE)
Techworld Date Posted: 9:20 AM | 295 Views
Manila, Philippines - Micro-Star International (MSI Gaming) will be participating in the World Consumer Electronics Expo organized by WorldBex this September 21 to 24, 2017 at World Trade Center, Pasay City. 11am to 6pm,...See More

 
KINGMAX’s Entry-Level M.2 PCIe SSD PJ3280 Satisfies the Need for Upgrades Where Speed Is of Paramount Importanc
Techworld Date Posted: 30 August 2018 4:56 PM | 208 Views
KINGMAX, a world-renowned professional memory manufacturer, has consummated its product line of M.2 2280 PCIe NVMe solid-state drives (SSDs). See More
 
KINGMAX’s Entry-Level M.2 PCIe SSD PJ3280 Satisfies the Need for Upgrades Where Speed Is of Paramount Importanc
Techworld Date Posted: 4:56 PM | 208 Views
KINGMAX, a world-renowned professional memory manufacturer, has consummated its product line of M.2 2280 PCIe NVMe solid-state drives (SSDs)See More

 
Fortinet Offers Essential Cyber-Safety Tips Amidst Escalating Cyber-Attacks
Techworld Date Posted: 21 September 2017 1:22 PM | 564 Views
Fortinet, the global leader in high-performance cyber security solutions, warns businesses and individuals in Philippines to brace for escalating cyber-attacks as cyber-criminals expand their targets to home network devices and mobile devices. Fortinet's latest.... See More
 
Fortinet Offers Essential Cyber-Safety Tips Amidst Escalating Cyber-Attacks
Techworld Date Posted: 1:22 PM | 564 Views
Fortinet, the global leader in high-performance cyber security solutions, warns businesses and individuals in Philippines to brace for escalating cyber-attacks as cyber-criminals expand their targets to home network devices and mobile devices. Fortinet's latest...See More

 
HMD Introduces Five New Nokia Phones
Techworld Date Posted: 27 February 2018 4:42 PM | 306 Views
HMD Global, the home of Nokia phones, announced four new additions to its award-winning portfolio of Android smartphones – Nokia 8 Sirocco, Nokia 7 Plus, new Nokia 6 and Nokia 1.. See More
 
HMD Introduces Five New Nokia Phones
Techworld Date Posted: 4:42 PM | 306 Views
HMD Global, the home of Nokia phones, announced four new additions to its award-winning portfolio of Android smartphones – Nokia 8 Sirocco, Nokia 7 Plus, new Nokia 6 and Nokia 1.See More

 
Youth Congress for IT Harnesses the Boundless Potential of Technology and the Youth with AWS Educate
Techworld Date Posted: 21 September 2018 3:46 PM | 229 Views
The 16th Youth Congress for Information Technology (Y4IT), an enabling event recognizing young Filipinos as key drivers of the IT industry’s continued advancement, is set to happen on September 24 to 26, 2018 at.... See More
 
Youth Congress for IT Harnesses the Boundless Potential of Technology and the Youth with AWS Educate
Techworld Date Posted: 3:46 PM | 229 Views
The 16th Youth Congress for Information Technology (Y4IT), an enabling event recognizing young Filipinos as key drivers of the IT industry’s continued advancement, is set to happen on September 24 to 26, 2018 at...See More


Power by

Download Free AZ | Free Wordpress Themes