Kaspersky Lab researchers have discovered a new variant of the SynAck ransomware Trojan using the Doppelgänging technique to bypass anti-virus security by hiding in legitimate processes. This is the first time the Doppelgänging technique has been seen in ransomware in the wild.

 

The developers behind SynAck also implement other tricks to evade detection and analysis: obfuscating all malware code prior to sample compilation and exiting if signs suggest it is being launched in a sandbox.

 

The SynAck ransomware has been known since the autumn of 2017, and in December was observed targeting mainly English-speaking users with remote desktop protocol (RDP) brute-force attacks followed by the manual download and installation of malware. The new variant uncovered by Kaspersky Lab researchers implements a far more sophisticated approach, using the Process Doppelgänging technique to evade detection.

 

Reported in December 2017, Process Doppelgänging involves a fileless code injection that takes advantage of a built-in Windows function and an undocumented implementation of the Windows process loader. By manipulating how Windows handles file transactions, attackers can pass off malicious actions as harmless, legitimate processes, even if they are using known malicious code. Doppelgänging leaves no traceable evidence behind, making this type of intrusion extremely difficult to detect. This is the first time ransomware has been observed using this technique in-the-wild.

 

Other noteworthy features of the new variant of SynAck include:

  • The Trojan obfuscates its executable code prior to compilation, rather than packing it like most other ransomware, making it harder for researchers to reverse engineer and analyze the malicious code.
  • It also obscures the links to the necessary API function, and stores hashes to strings rather than the actual strings.
  • Upon installation, the Trojan reviews the directory its executable is started from, and if it spots an attempt to launch it from an ‘incorrect’ directory – such as a potential automated sandbox – it exits.
  • The malware also exits without execution if the victim PC has a keyboard set to Cyrillic script.
  • Before encrypting files on a victim device, SynAck checks the hashes of all running processes and services against its own hard coded list. If it finds a match, it tries to kill the process. Processes blocked in this way include virtual machines, office applications, script interpreters, database applications, backup systems, gaming applications and more  – possibly to make it easier to seize valuable files which might otherwise be tied up into the running processes.

 

Researchers believe attacks using this new variant of SynAck are highly targeted. To date, they have observed a limited number of attacks in the U.S., Kuwait, Germany, and Iran, with ransom demands of $3,000 USD.

 

The race between attackers and defenders in cyberspace is a never-ending one. The ability of the Process Doppelgänging technique to sneak malware past the latest security measures represents a significant threat; one that has, not surprisingly, quickly been seized upon by attackers. Our research shows how the relatively low profile targeted ransomware SynAck used the technique to upgrade its stealth and infection capability. Fortunately, the detection logic for this ransomware was implemented before it appeared in the wild,” said Anton Ivanov, Lead Malware Analyst, Kaspersky Lab

 

Kaspersky Lab detects this variant of the SynAck ransomware as:

 

Trojan-Ransom.Win32.Agent.abwa
Trojan-Ransom.Win32.Agent.abwb
PDM:Trojan.Win32.Generic

 

Kaspersky Lab recommends the following actions to keep users and devices safe from ransomware:

  • Back up data regularly.
  • Use a reliable security solution that is powered with behaviour detection and able
    to roll back malicious actions.
  • Always keep software updated on all the devices you use.
  • If you’re a business, you should also educate your employees and IT teams; and
    keep sensitive data separate with access restricted. Use dedicated security
    solution, such as Kaspersky Endpoint Security for Business.
  • If you are unlucky enough to fall victim to an encryptor, don’t panic. Use a clean
    system to check our No More Ransom site; you may well find a decryption tool
    that can help you get your files back.

 

To learn more about the fake new variant of SynAck, read our blogpost on Securelist.com.


RECOMMENDED ARTICLE FOR TECHWORLD


 
eSakay Electric Jeeps Servicing Makati-Mandaluyong Commuters Have Just Been Introduced to a Greater Riding Public
Techworld Date Posted: 23 January 2019 2:33 PM | 109 Views
eSakay’s electric vehicle (EV) fleet that will soon ply one of Metro Manila’s busiest commuting routes between Makati and Mandaluyong, was introduced at a launch ceremony at the Circuit Events Grounds in Makati City.... See More
 
eSakay Electric Jeeps Servicing Makati-Mandaluyong Commuters Have Just Been Introduced to a Greater Riding Public
Techworld Date Posted: 2:33 PM | 109 Views
eSakay’s electric vehicle (EV) fleet that will soon ply one of Metro Manila’s busiest commuting routes between Makati and Mandaluyong, was introduced at a launch ceremony at the Circuit Events Grounds in Makati City...See More

 
Cryptojacking Skyrockets to the Top of the Attacker Toolkit, Signaling Massive Threat to Cyber and Personal Security
Techworld Date Posted: 11 April 2018 5:01 PM | 499 Views
  Cyber criminals are rapidly adding cryptojacking to their arsenal and creating a highly profitable new revenue stream, as the ransomware market becomes overpriced and overcrowded, according to Symantec’s (Nasdaq: SYMC) Internet Security Threat.... See More
 
Cryptojacking Skyrockets to the Top of the Attacker Toolkit, Signaling Massive Threat to Cyber and Personal Security
Techworld Date Posted: 5:01 PM | 499 Views
  Cyber criminals are rapidly adding cryptojacking to their arsenal and creating a highly profitable new revenue stream, as the ransomware market becomes overpriced and overcrowded, according to Symantec’s (Nasdaq: SYMC) Internet Security Threat...See More

 
My Data Was Leaked. What Should I Do?
Techworld Date Posted: 22 January 2019 2:26 PM | 66 Views
Following the emergence last week of a massive database of exposed emails and passwords dubbed as Collection #1, Kaspersky Lab strongly urged internet users to apply unique passwords for each of their online accounts. See More
 
My Data Was Leaked. What Should I Do?
Techworld Date Posted: 2:26 PM | 66 Views
Following the emergence last week of a massive database of exposed emails and passwords dubbed as Collection #1, Kaspersky Lab strongly urged internet users to apply unique passwords for each of their online accountsSee More

 
Kaspersky Lab Report on DDoS Attacks in Q1 2017: The Lull before the Storm
Techworld Date Posted: 27 May 2017 2:55 PM | 267 Views
The first quarter of 2017 has confirmed the forecasts about the evolution of DDoS attacks made by Kaspersky Lab experts following the 2016 results. It also demonstrates that cybercriminals need a rest too. Despite the.... See More
 
Kaspersky Lab Report on DDoS Attacks in Q1 2017: The Lull before the Storm
Techworld Date Posted: 2:55 PM | 267 Views
The first quarter of 2017 has confirmed the forecasts about the evolution of DDoS attacks made by Kaspersky Lab experts following the 2016 results. It also demonstrates that cybercriminals need a rest too. Despite the...See More

 
World-Renowned Photo-Editing App Publisher Launches ArtBot
Techworld Date Posted: 19 December 2017 8:59 AM | 322 Views
Meitu Inc., publisher of the world renowned photo-editing app Meitu, is dedicated to the pursuit of beauty around the world.. See More
 
World-Renowned Photo-Editing App Publisher Launches ArtBot
Techworld Date Posted: 8:59 AM | 322 Views
Meitu Inc., publisher of the world renowned photo-editing app Meitu, is dedicated to the pursuit of beauty around the world.See More

 
From Shaking Their Hands to Paying off Their Debts: Third party Cybersecurity Failures Cost Businesses the Most
Techworld Date Posted: 25 September 2017 11:26 AM | 264 Views
While more companies are investing in cybersecurity regardless of ROI (63% in 2017 compared to 56% in 2016), a new study from Kaspersky Lab and B2B International has found that the average cost of.... See More
 
From Shaking Their Hands to Paying off Their Debts: Third party Cybersecurity Failures Cost Businesses the Most
Techworld Date Posted: 11:26 AM | 264 Views
While more companies are investing in cybersecurity regardless of ROI (63% in 2017 compared to 56% in 2016), a new study from Kaspersky Lab and B2B International has found that the average cost of...See More

 
Remote Access Nightmare: New Backdoors Increase More Than 40% in 2018
Techworld Date Posted: 11 December 2018 4:24 PM | 128 Views
Out of all the new malicious files detected in 2018, the amount that turned out to be backdoors rose by 44%, while the volume of ransomware increased by 43%.. See More
 
Remote Access Nightmare: New Backdoors Increase More Than 40% in 2018
Techworld Date Posted: 4:24 PM | 128 Views
Out of all the new malicious files detected in 2018, the amount that turned out to be backdoors rose by 44%, while the volume of ransomware increased by 43%.See More

 
5 Simple WiFi Problems and the Easy Ways to Fix Them
Techworld Date Posted: 12 July 2018 4:09 PM | 544 Views
Home WiFi issues can be really frustrating, especially if you’re in the middle of sending an important work file, a video call with a relative living overseas, or a Netflix-bingeing marathon. But most of.... See More
 
5 Simple WiFi Problems and the Easy Ways to Fix Them
Techworld Date Posted: 4:09 PM | 544 Views
Home WiFi issues can be really frustrating, especially if you’re in the middle of sending an important work file, a video call with a relative living overseas, or a Netflix-bingeing marathon. But most of...See More

 
Sony’s Xperia XZ Premium Now Available in Limited Edition Rosso Colorway
Techworld Date Posted: 10 November 2017 10:48 AM | 331 Views
Sony announced that the Xperia XZ Premium is already available in a new, limited edition colorway.. See More
 
Sony’s Xperia XZ Premium Now Available in Limited Edition Rosso Colorway
Techworld Date Posted: 10:48 AM | 331 Views
Sony announced that the Xperia XZ Premium is already available in a new, limited edition colorway.See More

 
Lian Li Announces Thanksgiving Build Contest in Partnership with Der8auer, ASUS and ADATA
Techworld Date Posted: 12 November 2018 4:54 PM | 253 Views
Lian Li Industrial Co. Ltd., the world’s leading manufacturer of aluminum chassis for enthusiasts, custom OEM/ODM case solutions, and case accessories is thrilled to invite all owners of Lian Li O11 Dynamic and O11.... See More
 
Lian Li Announces Thanksgiving Build Contest in Partnership with Der8auer, ASUS and ADATA
Techworld Date Posted: 4:54 PM | 253 Views
Lian Li Industrial Co. Ltd., the world’s leading manufacturer of aluminum chassis for enthusiasts, custom OEM/ODM case solutions, and case accessories is thrilled to invite all owners of Lian Li O11 Dynamic and O11...See More


Power by

Download Free AZ | Free Wordpress Themes