Researchers have discovered what is believed to be the first case of ransomware using a sophisticated technique called Doppelgänging to avoid detection by antivirus solutions.
On Monday, security experts from Kaspersky Lab said in a security notice that a variant of the SynAck ransomware has been spotted in the wild using this sophisticated circumvention technique.
SynAck is nothing new. The ransomware was discovered in 2017 and differs from standard ransomware families in several ways. While SynAck employs the standard recipe of infection, encryption, and a blackmail notice demanding money in return for a decryption key, the ransomware does not use a payment portal.
Instead, SynAck operators demand that victims arrange payment, usually in Bitcoin (BTC), through email or a BitMessage ID. Ransom demands can be as high as $3,000.
While this malware may have previously been nothing special, the emergence of a variant which utilizes the Doppelgänging technique has forced researchers to take notice.
Process Doppelgänging was first revealed by enSilo researchers at Black Hat Europe in December last year.
The attack technique targets the Microsoft Windows operating system and is designed to circumvent traditional security software and antivirus solutions by exploiting how they interact with memory processes.
Process Doppelgänging masks crafted executables and changes executable files by overwriting legitimate files in the context of transactional NTFS. A section of these transactions is overwritten with malicious code that points to a crafted executable, which is then loaded and results in the creation of a process based on the modified executable.
This is known as process hollowing, the creation of a process purely in order to run malicious executables.
While many antivirus products are able to detect and thwart such attack techniques, Doppelgänging then rolls back transactions into legitimate states, and so no trace of the attack is left behind — which prevents antivirus solutions from detecting such activity at all.
Arbitrary code is then able to run in the context of a legitimate process. According to enSilo, Doppelgänging is a fileless injectable attack, and it cannot be patched as it “exploits fundamental features and the core design of the process loading mechanism in Windows.”
Kaspersky Labs researchers say that alongside the use of Doppelgänging, SynAck will also attempt to prevent programs related to virtual machines, office software, backup systems, and more from operating.
“It might be doing this to grant itself access to valuable files that could have been otherwise used by the running processes,” the researchers say.
In addition, the malware has been thoroughly obfuscated prior to compilation, as well as encrypted, which makes reverse engineering a strenuous task.
Attacks using the new SynAck variant have been recorded in the United States, Kuwait, Germany, and Iran.
Kaspersky believes that the ransomware is targeted, especially as the malware will check the status of an infected machine against a hardcoded list of countries and languages.
If a victim is located in a country outside of an approved list, then the encryption of files will not take place and the malware simply exits.
“The ability of the Process Doppelgänging technique to sneak malware past the latest security measures represents a significant threat; one that has, not surprisingly, quickly been seized upon by attackers,” said Anton Ivanov, lead malware analyst at Kaspersky Lab. “Our research shows how the relatively low profile, targeted ransomware SynAck used the technique to upgrade its stealth and infection capability. Fortunately, the detection logic for this ransomware was implemented before it appeared in the wild.”
Article originally appeared in ZDNet