Security Researchers have spotted a new and improved version of the SynAck ransomware that uses a new Process Doppelganging technique, which makes the malware hard to find and stop.
The Process Doppelgänging technique abuses built-in Windows function, i.e., NTFS Transactions and an outdated implementation of Windows process loader to launch a malicious process where adversaries replace the memory of a legitimate process with a malicious code. This technique evades process monitoring tools and anti-virus software that a legitimate process is running.
“The main purpose of the technique is to use NTFS transactions to launch a malicious process from the transacted file so that the malicious process looks like a legitimate one,” wrote Anton Ivanov, Fedor Sinitsyn and Orkhan Mamedov, security researchers with Kaspersky Lab.
SynAck ransomware first surfaced in Sept. 2017 when it was effectively used by cybercriminals to target open or badly-secured RDP connections. After that, SynAck has matured and became more powerful and dangerous.
“First, [SynAck] checks if it’s installed in the right directory. If it’s not, it doesn’t run,” researchers noted. “Second, SynAck checks if it’s installed on a computer with a keyboard set to a certain script — in this case, Cyrillic — in which case it also does nothing.”
The latest target of the attacks observed was U.S., Kuwait, Germany, and Iran. Ransom demands can be as high as $3,000.
“The ability of the Process Doppelgänging technique to sneak malware past the latest security measures represents a significant threat; one that has, not surprisingly, quickly been seized upon by attackers,” Ivanov said, in a statement. “Our research shows how the relatively low-profile, targeted ransomware SynAck used the technique to upgrade its stealth and infection capability.”