Security researchers have discovered the first-ever ransomware exploiting Process Doppelganging, which is a new file-less code injection technique that could help malware evade detection.
The Process Doppelganging attack works on all modern versions of Microsoft Windows OS, including Windows 10. It utilizes a built-in Windows function called NTFS Transactions, and an outdated implementation of Windows process loader.
Process Doppelganging attack acts by using NTFS transactions to launch a malicious process by replacing the memory of a legitimate process, deceiving the process monitoring tools and antivirus by making it think that the legitimate process is running.
Soon after the Process Doppelganging attack details were released to the public, numerous threat actors were found misusing it in an attempt to bypass modern security solutions.
Security researchers at Kaspersky Lab have now discovered the first ransomware, a new variant of SynAck, using this technique to evade its malicious actions and targeting users in countries like the United States, Kuwait, Germany, and Iran.
The SynAck ransomware which was first discovered in September 2017 makes use of complex obfuscation techniques to prevent reverse engineering. A speciality of this ransomware is that it does not infect people from specific countries, including Russia, Belarus, Ukraine, Georgia, Tajikistan, Kazakhstan, and Uzbekistan.
The SynAck ransomware identifies the country of any user by matching the keyboard layouts installed on the user’s PC against a hardcoded list stored in the malware. When a match is found, the ransomware sleeps for 30 seconds and then calls ExitProcess to prevent encryption of files.
SynAck ransomware also prevents automatic sandbox analysis by checking the directory from where it executes. SynAck doesn’t proceed if it finds that it has tried to launch the malicious executable from an ‘incorrect’ directory, instead it terminates itself.
After infecting SynAck encrypts the content of each infected file with the AES-256-ECB algorithm and gives the victims a decryption key until they contact the attackers and accept their demands.
SynAck can also display a ransomware note to the Windows login screen by modifying the LegalNoticeCaption and LegalNoticeText keys in the registry. The ransomware is smart enough to clear the event logs stored by the system to avoid forensic analysis of an infected machine.
The researchers have not disclosed how SynAck enters a PC, but as we know most of the ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.
Therefore, you should be very cautious while opening any document sent over an email and clicking any links in the documents unless the source is verified. Here only certain security and antivirus software can alert you about the threat but it is always a good practice to have an effectiveand up-to-date antivirus security suite on your system. Also it is advised that you backup your data on a regular basis.