A ransomware program called SynAck uses a sophisticated process hiding technique that was first documented last year as a proof-of-concept to evade detection.
Dubbed Process Doppelgänging, the method was presented at the Black Hat security conference last year by researchers from security firm enSilo. Attackers have since caught on and SynAck is the first ransomware program using it in the wild.
Process Doppelgänging relies on a feature called Transactional NTFS (TxF) that was introduced in Windows Vista. Its goal is to help developers gracefully handle errors and preserve data integrity when applications update files on disk.
“To update a file safely, the application opens the file in transacted mode, makes the necessary updates, and then commits the transaction,” Microsoft explained in its documentation. “If the system or application fails during the file update, then TxF automatically restores the file to the state that it had before the file update began, which avoids file corruption.”
The enSilo researchers figured out how to span processes from transacted files before the changes are committed to disk. This allows malware to take an existing legitimate system file, open it in transacted mode, replace its contents with malicious code, span a process from it and restore the file to its original form.
In this way, the rogue process appears to point to a local file, but there is no actual malicious code on disk. When the enSilo researchers tested this technique last year, they managed to bypass detection by 12 different antivirus programs running on Windows 7, 8.1 and 10.
It’s no surprise then that attackers adopted the technique, with SynAck the first ransomware threat that uses it, according to researchers from antivirus vendor Kaspersky Lab.
“It should be noted that SynAck is not new—it has been known since at least September 2017—but a recently discovered sample caught our attention after it was found to be using Process Doppelgänging,” the Kaspersky researchers said in a blog post.
SynAck also uses other sophisticated code obfuscation techniques to make reverse engineering and analysis more difficult for researchers. It uses a combination of symmetric and asymmetric encryption and kills a variety of processes before encrypting files. Another interesting aspect of the malware is that it displays the ransom message directly on the Windows login screen.
So far, Kaspersky Lab has only detected several infections with SynAck in the United State, Kuwait, Germany and Iran, which suggests this is a targeted threat.
Adobe Patches Flash Player, Connect and Creative Cloud Desktop Application
During this month’s Patch Tuesday Adobe Systems fixed several vulnerabilities in Flash Player, Adobe Connect and its Creative Cloud Desktop Application.
The Flash Player update addresses one vulnerability that’s rated critical and can result in remote code execution. Users are advised to upgrade to Flash Player 18.104.22.168.
Adobe Connect has not received a new patch per se, but Adobe published manual mitigation instructions for an authentication bypass issue that could allow attackers to access sensitive configuration files. Administrators of on-premises Connect deployments are advised to insert a block of code in web.xml to filter authentication requests.
The Creative Cloud Desktop Application received fixes for three vulnerabilities, two that can lead to privilege escalation and one that can result in security bypass due to improper certificate validation. Failure to properly validate certificates generally allows for man-in-the-middle attacks.