What Is It?
Researchers from Kaspersky have detailed their analysis of a new variant of SynAck ransomware. This variant is the first ransomware discovered in the wild using a sophisticated technique known as “process doppelganging,” which was initially presented at the Black Hat Europe security conference in December 2017. Researchers found this variant has been targeting users in Kuwait, Iran, Germany and the U.S.
Processing doppelganging is a fileless code injection technique which works on Microsoft Windows versions up to and including Windows 10. It was designed to evade detection by anti-virus and forensic tools on an endpoint.
Its purpose is to execute malicious code by taking over the memory of a legitimate process and making it appear to the system that the legitimate process is still running. When demonstrated at Black Hat Europe, using process doppelganging, researchers were able to successfully execute the Mimikatz credential extraction tool, which was quarantined by anti-virus when executed directly. Though somewhat technical in nature, process doppelganging utilizes a built-in Windows feature, NTFS transactions, as well as an implementation of the Windows process loader, which was first created for Windows XP but continued to be used by all subsequent Windows editions.
Aside from process doppelganging, this SynAck variant uses a very complicated, custom obfuscation in order to make reverse engineering of the code a much more difficult and time consuming process. This malware also checks the installed keyboard layout and will not encrypt files on systems using keyboard layouts for Russia and several former Soviet republics, including Georgia, Armenia and the Ukraine. It also clears the Windows event logs, a common malware tactic for making forensic analysis more difficult and less informative.
In addition, the malware will also ensure the directory it is being executed from isn’t part of a list, indicating that it is being executed in a sandbox. It also attempts to kill running processes with the names of various office applications, virtual machines, script interpreters and backup applications. The purpose of this is believed to be so that additional files can be encrypted and not locked by running applications. In a further attempt to hinder analysis, the lists of directory and application names are not stored in the code as strings, but as hashes, making it more difficult to obtain a list of these values.
How Does It Propagate?
The malware does not contain the necessary code to self-propagate.
The most common attack vector for most ransomware is social engineering, either as malicious attachments or downloads performed by malicious documents.
When/How Did BluVector Detect It?
Two samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown both samples would have been detected 43 months prior to their release.