Threat Management, Malware, Ransomware

SynAck ransomware implements Doppelgänging evasion technique

SynAck targeted ransomware was seen in the wild using the Doppelgänging technique which was first presented as a proof of concept in December 2017.

The evasion technique was first demonstrated by enSilo researchers Tal Liberman and Eugene Kogan at the Black Hat 2017 Conference in London.

The technique exploits a built-in Windows function and an undocumented implementation of Windows process loader by using NTFS transactions to launch a malicious process by replacing the memory of a legitimate process and then tricking the process monitoring tools and antivirus into believing that the legitimate process is running.

While the ransomware has been active since September 2017, Kaspersky researchers first spotted the ransomware deploying the technique in April 2018 during several attacks in the U.S., Kuwait, Germany, and Iran.

The malware scans the keyboard layouts installed on a victim's PC and checks it against a list of countries that is hardcoded into the malware.

“To do this, it lists all the keyboard layouts installed on the victim's PC and checks against a list hardcoded into the malware body,” researchers said in the report. “If it finds a match, SynAck sleeps for 300 seconds and then just calls ExitProcess to prevent encryption of files belonging to a victim from these countries.”

The malware also performs a check on the directory where its executable stated from and if there is an attempt to launch it from an ‘incorrect' directory, the Trojan won't proceed and will just exit instead, researchers added.

SynAck also uses a combination of symmetric and asymmetric encryption algorithms which at the core lies the hybrid ECIES scheme composed of ‘building blocks' which interact with each other. While infecting a victim's system's the content of each file is encrypted by the AES-256-ECB algorithm with a randomly generated key. 

Various researchers noted an uptick in activity from the ransomware in September of last year after at least three different versions were spotted.  The attacks are conducted using remote desktop protocol brute-force attacks to access remote computers and then the operators manually downloaded and installed the ransomware.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.