• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • SynAck ransomware Employs Many Novel Techniques to Avoid Detection

SynAck ransomware Employs Many Novel Techniques to Avoid Detection

Pierluigi Paganini May 07, 2018

The latest variant of the SynAck ransomware now includes a number of novel and complex anti-detection techniques, including one that was only made published by security researchers in December 2017.

When it originally appeared on the scene, SynAck ransomware didn’t seem unique or outstanding. It was marginally effective, but it wasn’t going to force enterprises to radically change their existing anti-malware capabilities. However the developers have been busy, and the latest SynAck variant now includes a number of novel and complex anti-detection techniques, including one that was only made published by security researchers in December 2017.

SynAck ransomware

From the very beginning, malware has been engaged in a battle of evolution. Every time a new attack technique is deployed, new defensive techniques are developed and the bad actors need to come up with new techniques. To get more longevity for their exploits, malware developers often add defensive techniques to identify when they are being scrutinized by anti-malware tools or obfuscate the true purpose of the code to encourage anti-malware tools to assume it is benign or target the attack to avoid police action in their home country. The SynAck ransomware deploys all of these “common” techniques and adds Process Doppelgänging for a new twist.

SynAck ransomware

Process Doppelgänging was introduced to the world by enSilo security researchers, @Tal_Liberman and Eugene Kogan at Black Hat Europe 2017. The technique leverages a Microsoft Windows mechanism called NTFS Transactions which is standard on all versions of Windows. It is a big advantage to the malware authors when they can rely on processes already on the target system instead of having to bake it into their code. Even more so in this case, since the technique leverages a default Windows capability making it unlikely to be patched. The author’s description of process doppelgänging:

“In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it’s in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind.”

The key piece is that most anti-malware tools are watching for unexpected changes to the filesystem, or unexpected code running in memory that didn’t come from a program on the file system. By leveraging NTFS transactions SynAck ransomware is able to run in memory under the guise of a legitimate program stored on the disk without making changes to the file which would set off all the alarms. NTFS transactions are normal Windows events so everything appears normal to the system.

In addition to the Process Doppelgänging, SynAck ransomware employs some other interesting techniques to avoid detection. The fundamental anti-malware technique is to look at a file and identify malicious characteristics. To bypass this inspection, malware authors often obfuscate their compiled code to make it difficult to assess what it is going to do. Anti-malware defenses are good at identifying the common code obfuscation techniques that are applied to already compiled code, but the SynAck ransomware developers went a step further and obfuscated the code before it has been compiled. (Securelist) Even this technique can be overcome, but it adds a lot of effort to the detection stage and that results in longer diagnosis times, and no one is in favor of slower security software.

In addition to the novel techniques identified above, SynAck ransomware also employs the relatively common technique of identifying the directory it is being run from. If it is being executed from an unexpected directory, the malware assumes it is running inside a sandbox under the scrutiny of anti-malware tools and it doesn’t run. This might fool the anti-malware software into thinking the code is benign and letting it pass.

SynAck ransomware also tests the keyboard language setting of the target system. The ransomware will not execute on a system with the default language set to Cyrillic.

The primary attack vector for SynAck ransomware is via Windows Remote Desktop Protocol(RDP.) If you don’t need it, you should definitely turn it off. Beyond that, the normal protections against ransomware still apply. There have been no flaws found in the ransomware encryption so don’t count on the good guys providing the decryption keys for free on this one.

 

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – SynAck ransomware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Cybercrime Doppelgänging technique Hacking malware Pierluigi Paganini Security Affairs SynAck ransomware

you might also like

Pierluigi Paganini July 08, 2025
Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant
Read more
Pierluigi Paganini July 08, 2025
U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

    Intelligence / July 08, 2025

    U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

    Hacking / July 08, 2025

    IT Worker arrested for selling access in $100M PIX cyber heist

    Cyber Crime / July 08, 2025

    New Batavia spyware targets Russian industrial enterprises

    Malware / July 07, 2025

    Taiwan flags security risks in popular Chinese apps after official probe

    Security / July 07, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT