Kaspersky Lab researchers have discovered a new variant of the SynAck ransomware Trojan using the Doppelgänging technique to bypass anti-virus security by hiding in legitimate processes. This is the first time the Doppelgänging technique has been seen in ransomware in the wild.

 

The developers behind SynAck also implement other tricks to evade detection and analysis: obfuscating all malware code prior to sample compilation and exiting if signs suggest it is being launched in a sandbox.

 

The SynAck ransomware has been known since the autumn of 2017, and in December was observed targeting mainly English-speaking users with remote desktop protocol (RDP) brute-force attacks followed by the manual download and installation of malware. The new variant uncovered by Kaspersky Lab researchers implements a far more sophisticated approach, using the Process Doppelgänging technique to evade detection.

 

Reported in December 2017, Process Doppelgänging involves a fileless code injection that takes advantage of a built-in Windows function and an undocumented implementation of the Windows process loader. By manipulating how Windows handles file transactions, attackers can pass off malicious actions as harmless, legitimate processes, even if they are using known malicious code. Doppelgänging leaves no traceable evidence behind, making this type of intrusion extremely difficult to detect. This is the first time ransomware has been observed using this technique in-the-wild.

 

Other noteworthy features of the new variant of SynAck include:

  • The Trojan obfuscates its executable code prior to compilation, rather than packing it like most other ransomware, making it harder for researchers to reverse engineer and analyze the malicious code.
  • It also obscures the links to the necessary API function, and stores hashes to strings rather than the actual strings.
  • Upon installation, the Trojan reviews the directory its executable is started from, and if it spots an attempt to launch it from an ‘incorrect’ directory – such as a potential automated sandbox – it exits.
  • The malware also exits without execution if the victim PC has a keyboard set to Cyrillic script.
  • Before encrypting files on a victim device, SynAck checks the hashes of all running processes and services against its own hard coded list. If it finds a match, it tries to kill the process. Processes blocked in this way include virtual machines, office applications, script interpreters, database applications, backup systems, gaming applications and more  – possibly to make it easier to seize valuable files which might otherwise be tied up into the running processes.

 

Researchers believe attacks using this new variant of SynAck are highly targeted. To date, they have observed a limited number of attacks in the U.S., Kuwait, Germany, and Iran, with ransom demands of $3,000 USD.

 

The race between attackers and defenders in cyberspace is a never-ending one. The ability of the Process Doppelgänging technique to sneak malware past the latest security measures represents a significant threat; one that has, not surprisingly, quickly been seized upon by attackers. Our research shows how the relatively low profile targeted ransomware SynAck used the technique to upgrade its stealth and infection capability. Fortunately, the detection logic for this ransomware was implemented before it appeared in the wild,” said Anton Ivanov, Lead Malware Analyst, Kaspersky Lab

 

Kaspersky Lab detects this variant of the SynAck ransomware as:

 

Trojan-Ransom.Win32.Agent.abwa
Trojan-Ransom.Win32.Agent.abwb
PDM:Trojan.Win32.Generic

 

Kaspersky Lab recommends the following actions to keep users and devices safe from ransomware:

  • Back up data regularly.
  • Use a reliable security solution that is powered with behaviour detection and able
    to roll back malicious actions.
  • Always keep software updated on all the devices you use.
  • If you’re a business, you should also educate your employees and IT teams; and
    keep sensitive data separate with access restricted. Use dedicated security
    solution, such as Kaspersky Endpoint Security for Business.
  • If you are unlucky enough to fall victim to an encryptor, don’t panic. Use a clean
    system to check our No More Ransom site; you may well find a decryption tool
    that can help you get your files back.

 

To learn more about the fake new variant of SynAck, read our blogpost on Securelist.com.


RECOMMENDED ARTICLE FOR TECHWORLD


 
Industrial Networks of Energy and ICS Integration Companies Hit by More Cyberattacks than Any Other Industry in H2, 2017
Techworld Date Posted: 28 March 2018 3:32 PM | 245 Views
Almost 40% of all industrial control systems (ICS) in energy organizations protected by Kaspersky Lab solutions were attacked by malware at least once during the last six months of 2017, closely followed by 35.3%.... See More
 
Industrial Networks of Energy and ICS Integration Companies Hit by More Cyberattacks than Any Other Industry in H2, 2017
Techworld Date Posted: 3:32 PM | 245 Views
Almost 40% of all industrial control systems (ICS) in energy organizations protected by Kaspersky Lab solutions were attacked by malware at least once during the last six months of 2017, closely followed by 35.3%...See More

 
ADATA Sets New Overclocking Record with XPG SPECTRIX D80 RGB Memory Module at 5584MT/s
Techworld Date Posted: 9 January 2019 12:40 PM | 68 Views
ADATA Technology, a leading manufacturer of high-performance DRAM modules, and NAND Flash products has announced that it has overclocked its XPG SPECTRIX D80 RGB DDR4 memory module. See More
 
ADATA Sets New Overclocking Record with XPG SPECTRIX D80 RGB Memory Module at 5584MT/s
Techworld Date Posted: 12:40 PM | 68 Views
ADATA Technology, a leading manufacturer of high-performance DRAM modules, and NAND Flash products has announced that it has overclocked its XPG SPECTRIX D80 RGB DDR4 memory moduleSee More

 
Realme Philippines Shakes Up PH Entry-Level Segment with realme C2
Techworld Date Posted: 1 June 2019 11:23 AM | 551 Views
Realme Philippines once again claims the entry-level throne with its newest budget smartphone royalty, the realme C2. With its sleek and chic build, higher-tier performance and long-lasting battery, the latest budget segment disruptor is.... See More
 
Realme Philippines Shakes Up PH Entry-Level Segment with realme C2
Techworld Date Posted: 11:23 AM | 551 Views
Realme Philippines once again claims the entry-level throne with its newest budget smartphone royalty, the realme C2. With its sleek and chic build, higher-tier performance and long-lasting battery, the latest budget segment disruptor is...See More

 
Transcend’s Gives Advice in Selecting the Right Dashcam for Your Needs
Techworld Date Posted: 20 September 2017 11:06 AM | 233 Views
The dashcam, or dashboard camera, has become an essential vehicle accessory primarily because of solid evidence that it aids with self-protection. Transcend Information Inc., a leading manufacturer of storage and multimedia products, has come.... See More
 
Transcend’s Gives Advice in Selecting the Right Dashcam for Your Needs
Techworld Date Posted: 11:06 AM | 233 Views
The dashcam, or dashboard camera, has become an essential vehicle accessory primarily because of solid evidence that it aids with self-protection. Transcend Information Inc., a leading manufacturer of storage and multimedia products, has come...See More

 
Introducing the new special editions to the moto g family moto G5s and moto G5s plus
Techworld Date Posted: 14 October 2017 2:30 PM | 76 Views
Motorola continues to bring unique and intuitive user experiences that Filipinos love and the two new additions to its moto g family: moto g5s and moto g5s plus, come with the latest innovations in.... See More
 
Introducing the new special editions to the moto g family moto G5s and moto G5s plus
Techworld Date Posted: 2:30 PM | 76 Views
Motorola continues to bring unique and intuitive user experiences that Filipinos love and the two new additions to its moto g family: moto g5s and moto g5s plus, come with the latest innovations in...See More

 
UBTECH OPENS ROBOTICS SUMMER WORKSHOP
Techworld Date Posted: 8 May 2018 3:07 PM | 217 Views
The introduction and availability of programmable robots (Robotics) at brickand-mortar stores are still unrecognizable. For most, these robots are too expensive for a “toy” without even exploring its value and benefits to their kids,.... See More
 
UBTECH OPENS ROBOTICS SUMMER WORKSHOP
Techworld Date Posted: 3:07 PM | 217 Views
The introduction and availability of programmable robots (Robotics) at brickand-mortar stores are still unrecognizable. For most, these robots are too expensive for a “toy” without even exploring its value and benefits to their kids,...See More

 
Akamai Announces New Services, Research and Partnerships to Help Customers ‘Connect to Tomorrow’
Techworld Date Posted: 24 October 2017 2:20 PM | 594 Views
Akamai Technologies announced its vision for an integrated approach to delivering world class digital experiences at the ‘EDGE’ Conference – its annual customer event. With customers looking for the fastest online services backed by.... See More
 
Akamai Announces New Services, Research and Partnerships to Help Customers ‘Connect to Tomorrow’
Techworld Date Posted: 2:20 PM | 594 Views
Akamai Technologies announced its vision for an integrated approach to delivering world class digital experiences at the ‘EDGE’ Conference – its annual customer event. With customers looking for the fastest online services backed by...See More

 
ASUS Announces Cutting-Edge AiMesh Whole-Home Wi-Fi for ASUS Routers
Techworld Date Posted: 5 January 2018 10:51 AM | 544 Views
ASUS today announced AiMesh, an innovative and breakthrough feature upgrade for ASUS routers that allows users to easily create a flexible and powerful whole-home Wi-Fi system using any compatible ASUS models.. See More
 
ASUS Announces Cutting-Edge AiMesh Whole-Home Wi-Fi for ASUS Routers
Techworld Date Posted: 10:51 AM | 544 Views
ASUS today announced AiMesh, an innovative and breakthrough feature upgrade for ASUS routers that allows users to easily create a flexible and powerful whole-home Wi-Fi system using any compatible ASUS models.See More

 
Fortinet Continues Commitment to Close the Cyber Skills Gap though Its NSE Institute Training and Certification Program
Techworld Date Posted: 11 May 2019 11:09 AM | 238 Views
Fortinet® (NASDAQ: FTNT), a global leader in broad, integrated and automated cybersecurity solutions, has continued to lead the way on training and education in the company’s ongoing efforts to close the cyber security skills.... See More
 
Fortinet Continues Commitment to Close the Cyber Skills Gap though Its NSE Institute Training and Certification Program
Techworld Date Posted: 11:09 AM | 238 Views
Fortinet® (NASDAQ: FTNT), a global leader in broad, integrated and automated cybersecurity solutions, has continued to lead the way on training and education in the company’s ongoing efforts to close the cyber security skills...See More

 
ADATA Launches New Range of Charging Products
Techworld Date Posted: 4 July 2018 11:07 AM | 585 Views
ADATA Technology, a leading manufacturer of high-performance DRAM modules and NAND Flash products, today launched a series of new charging products that make powering mobile lifestyles easier than ever.. See More
 
ADATA Launches New Range of Charging Products
Techworld Date Posted: 11:07 AM | 585 Views
ADATA Technology, a leading manufacturer of high-performance DRAM modules and NAND Flash products, today launched a series of new charging products that make powering mobile lifestyles easier than ever.See More


Power by

Download Free AZ | Free Wordpress Themes