Though known since September 2017, SynAck ransomware has a new variant found to be using Process Doppelgänging. According to Kaspersky Lab researchers who discovered the ransomware Trojan bypassing antivirus security by hiding in legitimate processes, this is the first time the Doppelgänging technique has been seen in ransomware in the wild.
First presented at the BlackHat Europe conference in December 2017, Process Doppelgänging is a sophisticated technique attackers use to bypass modern security solutions.
“The developers behind SynAck also implement other tricks to evade detection and analysis, obfuscating all malware code prior to sample compilation and exiting if signs suggest it is being launched in a sandbox,” Kaspersky Lab wrote in today’s press release.
The technique launches what appears to be a legitimate process from the transacted file, though it is actually malicious. Malware developers are known to use custom PE packers that protect the original code of the Trojan executable. Once unpacked, the original file is revealed unchanged and able to be analyzed.
That packing process is not being used with SynAck. In addition to bypassing security solutions, the Trojan changes its malicious code prior to compilation, which makes it much more difficult to analyze and reverse-engineer. “It also obscures the links to the necessary API function, and stores hashes to strings rather than the actual strings,” Kaspersky Lab wrote.
Lead malware analyst at Kaspersky Lab, Anton Ivanov said, “The race between attackers and defenders in cyberspace is a never-ending one. The ability of the Process Doppelgänging technique to sneak malware past the latest security measures represents a significant threat; one that has, not surprisingly, quickly been seized upon by attackers.
“Our research shows how the relatively low profile, targeted ransomware SynAck used the technique to upgrade its stealth and infection capability. Fortunately, the detection logic for this ransomware was implemented before it appeared in the wild.”