Security researchers have spotted the first-ever ransomware exploiting Process Doppelgänging, a new fileless code injection technique that could assist malware evade detection.
The Process Doppelgänging attack takes advantage of a built-in Windows function and an outdated implementation of Windows process loader, and works on all versions of Windows OS, including Windows version 10.
Process Doppelgänging attack works by using NTFS transactions to launch a malicious process by replacing the memory of a legit process, fooling process monitoring tools and antivirus into believing that the legit process is running.
After the Process Doppelgänging attack details went public, several threat actors were found abusing it in an attempt to bypass modern security solutions.
Security researchers at Kaspersky Lab have now found the first ransomware, a new version of SynAck, employing this technique to evade its malicious actions and targeting users in the United States, Germany, Kuwait, and Iran.
Discovered in September of last year, the SynAck ransomware uses complex obfuscation techniques to prevent reverse engineering, however researchers managed to unpack it and shared their analysis in a blog post.
An interesting thing about SynAck is that this ransomware does not infect people from specific countries, including Russia, Ukraine, Georgia, Tajikistan, Belarus, Kazakhstan, and Uzbekistan.
To identify the country of a specific user the SynAck ransomware matches keyboard layouts installed on the user’s PC against a hardcoded list stored within the malware. If a match is indeed found, the ransomware sleeps for thirty seconds and then calls ExitProcess to prevent encryption of files.
SynAck ransomware also prevents automatic sandbox analysis by checking the directory from where it executes. If it found an attempt to launch the malicious executable from an ‘incorrect’ directory, SynAck won’t proceed further and will instead terminate itself.
Once infected like any other ransomware, SynAck encrypts the content of each infected file with the AES-256-ECB algo and provides victims with a decryption key until they contact the attackers and consent to their demands.
SynAck is also capable of displaying a ransomware note to the Windows login screen by modifying the LegalNoticeCaption and LegalNoticeText keys within the registry. The ransomware also clears the event logs stored by the system to avoid forensic analysis of an infected machine.
Although the researchers did not say how SynAck lands on the PC, most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.
Therefore, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source in an attempt to safeguard against such ransomware infection.