Ransomware Uses Process Hiding Technique to Evade Antivirus

A ransomware program called SynAck uses a sophisticated process hiding technique that was first documented last year as a proof-of-concept to evade detection.

Dubbed Process Doppelgänging, the method was presented at the Black Hat security conference last year by researchers from security firm enSilo. Attackers have since caught on and SynAck is the first ransomware program using it in the wild.

Process Doppelgänging relies on a feature called Transactional NTFS (TxF) that was introduced in Windows Vista. Its goal is to help developers gracefully handle errors and preserve data integrity when applications update files on disk.

“To update a file safely, the application opens the file in transacted mode, makes the necessary updates, and then commits the transaction,” Microsoft explained in its documentation. “If the system or application fails during the file update, then TxF automatically restores the file to the state that it had before the file update began, which avoids file corruption.”

The enSilo researchers figured out how to span processes from transacted files before the changes are committed to disk. This allows malware to take an existing legitimate system file, open it in transacted mode, replace its contents with malicious code, span a process from it and restore the file to its original form.

In this way, the rogue process appears to point to a local file, but there is no actual malicious code on disk. When the enSilo researchers tested this technique last year, they managed to bypass detection by 12 different antivirus programs running on Windows 7, 8.1 and 10.

It’s no surprise then that attackers adopted the technique, with SynAck the first ransomware threat that uses it, according to researchers from antivirus vendor Kaspersky Lab.

“It should be noted that SynAck is not new—it has been known since at least September 2017—but a recently discovered sample caught our attention after it was found to be using Process Doppelgänging,” the Kaspersky researchers said in a blog post.

SynAck also uses other sophisticated code obfuscation techniques to make reverse engineering and analysis more difficult for researchers. It uses a combination of symmetric and asymmetric encryption and kills a variety of processes before encrypting files. Another interesting aspect of the malware is that it displays the ransom message directly on the Windows login screen.

So far, Kaspersky Lab has only detected several infections with SynAck in the United State, Kuwait, Germany and Iran, which suggests this is a targeted threat.

Adobe Patches Flash Player, Connect and Creative Cloud Desktop Application

During this month’s Patch Tuesday Adobe Systems fixed several vulnerabilities in Flash Player, Adobe Connect and its Creative Cloud Desktop Application.

The Flash Player update addresses one vulnerability that’s rated critical and can result in remote code execution. Users are advised to upgrade to Flash Player

Adobe Connect has not received a new patch per se, but Adobe published manual mitigation instructions for an authentication bypass issue that could allow attackers to access sensitive configuration files. Administrators of on-premises Connect deployments are advised to insert a block of code in web.xml to filter authentication requests.

The Creative Cloud Desktop Application received fixes for three vulnerabilities, two that can lead to privilege escalation and one that can result in security bypass due to improper certificate validation. Failure to properly validate certificates generally allows for man-in-the-middle attacks.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin