Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

SynAck Ransomware Uses Process Doppelgänging for Evasion

SynAck has become the first ransomware family to leverage the

SynAck has become the first ransomware family to leverage the Process Doppelgänging technique in an attempt to bypass security products, Kaspersky Lab reports.

Discovered in September 2017, SynAck isn’t new malware, but started using the evasion method last month, Kaspersky’s security researchers warn. The technique isn’t new either, as it was first detailed in December 2017 by enSilo.

Similar to process hollowing, Process Doppelgänging abuses the Windows loader to execute code without writing it to disk, making detection more difficult. The malicious code is correctly mapped to a file on the disk, just as it would be in the case of a legitimate process.

As expected, SynAck leverages Process Doppelgänging to bypass modern security solutions (which would flag any unmapped code).

“The main purpose of the technique is to use NTFS transactions to launch a malicious process from the transacted file so that the malicious process looks like a legitimate one,” Kaspersky notes.

The technique was previously demonstrated to bypass security products from Microsoft, AVG, Bitdefender, ESET, Symantec, McAfee, Kaspersky, Panda Security and Avast. It would work on Windows 7, Windows 8.1 and Windows 10 machines.

Not only does SynAck evade detection, but it also makes analysis more difficult, due to heavy use of obfuscation (although it doesn’t use a packer).

“The control flow of the Trojan executable is convoluted. Most of the CALLs are indirect, and the destination address is calculated by arithmetic operation from two DWORD constants. All of the WinAPI function addresses are imported dynamically by parsing the exports of system DLLs and calculating a CRC32-based hash of the function name,” Kaspersky notes.

While the method has been used before, SynAck’s authors complicated it further by obscuring the address of the procedure that retrieves the API function address and the target hash value.

During execution, the malware checks the language of the system to verify whether it runs on a PC from a certain list of countries. SynAck also checks the directory where its executable is started from and exits if it is launched from an ‘incorrect’ directory.

The security researchers also discovered that the Trojan doesn’t store the strings it wants to check, but only their hashes, an effort to hinder attempts to find the original strings. SynAck uses a combination of symmetric and asymmetric encryption algorithms, Kaspersky notes.

The ransonmware encrypts the content of each file using the AES-256-ECB algorithm with a randomly generated key and adds a random extension to the encrypted files.

Before encrypting user’s files, the malware enumerates all running processes and services and checks the hashes of their names against hardcoded values. If it finds a match, SynAck attempts to kill the process or to stop the service.

The ransomware targets programs related to virtual machines, office applications, script interpreters, database applications, backup systems, gaming applications, and more. Kaspersky suggests the malware kills these processes to grant itself access to the files they might be using.

SynAck also clears the event logs stored by the system and can add a custom text to the Windows logon screen by modifying the LegalNoticeCaption and LegalNoticeText keys in the registry. This results in the user seeing a message from the cybercriminals before logging into their account.

“We have currently only observed several attacks in the USA, Kuwait, Germany, and Iran. This leads us to believe that this is targeted ransomware,” Kaspersky concludes.

Related: ‘Process Doppelgänging’ Helps Malware Evade Detection

Related: City of Atlanta Ransomware Attack Proves Disastrously Expensive

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.