SynAck has become the first ransomware family to leverage the Process Doppelgänging technique in an attempt to bypass security products, Kaspersky Lab reports.
Discovered in September 2017, SynAck isn’t new malware, but started using the evasion method last month, Kaspersky’s security researchers warn. The technique isn’t new either, as it was first detailed in December 2017 by enSilo.
Similar to process hollowing, Process Doppelgänging abuses the Windows loader to execute code without writing it to disk, making detection more difficult. The malicious code is correctly mapped to a file on the disk, just as it would be in the case of a legitimate process.
As expected, SynAck leverages Process Doppelgänging to bypass modern security solutions (which would flag any unmapped code).
“The main purpose of the technique is to use NTFS transactions to launch a malicious process from the transacted file so that the malicious process looks like a legitimate one,” Kaspersky notes.
The technique was previously demonstrated to bypass security products from Microsoft, AVG, Bitdefender, ESET, Symantec, McAfee, Kaspersky, Panda Security and Avast. It would work on Windows 7, Windows 8.1 and Windows 10 machines.
Not only does SynAck evade detection, but it also makes analysis more difficult, due to heavy use of obfuscation (although it doesn’t use a packer).
“The control flow of the Trojan executable is convoluted. Most of the CALLs are indirect, and the destination address is calculated by arithmetic operation from two DWORD constants. All of the WinAPI function addresses are imported dynamically by parsing the exports of system DLLs and calculating a CRC32-based hash of the function name,” Kaspersky notes.
While the method has been used before, SynAck’s authors complicated it further by obscuring the address of the procedure that retrieves the API function address and the target hash value.
During execution, the malware checks the language of the system to verify whether it runs on a PC from a certain list of countries. SynAck also checks the directory where its executable is started from and exits if it is launched from an ‘incorrect’ directory.
The security researchers also discovered that the Trojan doesn’t store the strings it wants to check, but only their hashes, an effort to hinder attempts to find the original strings. SynAck uses a combination of symmetric and asymmetric encryption algorithms, Kaspersky notes.
The ransonmware encrypts the content of each file using the AES-256-ECB algorithm with a randomly generated key and adds a random extension to the encrypted files.
Before encrypting user’s files, the malware enumerates all running processes and services and checks the hashes of their names against hardcoded values. If it finds a match, SynAck attempts to kill the process or to stop the service.
The ransomware targets programs related to virtual machines, office applications, script interpreters, database applications, backup systems, gaming applications, and more. Kaspersky suggests the malware kills these processes to grant itself access to the files they might be using.
SynAck also clears the event logs stored by the system and can add a custom text to the Windows logon screen by modifying the LegalNoticeCaption and LegalNoticeText keys in the registry. This results in the user seeing a message from the cybercriminals before logging into their account.
“We have currently only observed several attacks in the USA, Kuwait, Germany, and Iran. This leads us to believe that this is targeted ransomware,” Kaspersky concludes.