Monday, May 7, 2018

Process Doppelganging - If you are worried about Ransomware then you should be aware of it (SynAck ransomware is using it already using this technique)



fileless evasion technique for bypassing real-time file scanning by most AV software and next generation AV tools for all versions of Windows since Windows Vista. Unlike malware that has to be written to disk or run completely from memory, with Process Doppelganging, threat actors can build malware that can run from what appears to be a completely legitimate-looking file

By manipulating how Windows handles file transactions, attackers can pass off malicious actions as harmless, legitimate processes, even if they are using known malicious code


SynAck's latest version also can detect whether it's being launched from an automated sandbox: if so, it will promptly exit the sandbox. Before it actually begins to encrypt files, SynAck also checks the hashes of all processes that are running on the compromised machine, and tries to kill any processes that match a list of processes hard-coded into the malware.

Processes that SynAck is designed to kill include virtual machines, database applications, backup systems, and gaming applications in what appears to be a bid to make it easier to seize high-value files which may otherwise be tied to a running process,

https://www.darkreading.com/attacks-breaches/synack-ransomware-gets-dangerous-doppleganging-feature/d/d-id/1331736?_mc=KJH-Twitter-2018-05

No comments:

Post a Comment