rvlsoft - Fotolia

How does the SynAck ransomware use Process Doppelgänging?

A technique called Process Doppelgänging was used by the SynAck ransomware to bypass security software. Expert Michael Cobb explains how this technique works and why it's unique.

Kaspersky Lab detected ransomware called SynAck that uses Process Doppelgänging. What is this technique and what does it mean for ransomware threats?

The Process Doppelgänging technique was first introduced in December 2017 by security researchers at the endpoint security firm enSilo. The researchers demonstrated how it can use process hollowing to circumvent security software by exploiting how it scans for malware and interacts with memory processes.

Process hollowing is the creation of a process for the sole purpose of running a malicious executable inside it. A process is loaded in a suspended state, but then elements of memory are replaced with crafted code and the process resumed, fooling the system and any security software into classifying the process as legitimate and safe to run.

Up-to-date antivirus tools can detect attacks leveraging process hollowing. However, although Process Doppelgänging utilizes process hollowing, it's harder to detect and defend against, as it leverages a Transactional New Technology File System (TxF) to roll back any processes it has altered into legitimate states, leaving no trace of the attack behind. TxF integrates transactions into Windows New Technology File System, which makes it easier for application developers and administrators to gracefully handle errors and preserve data integrity.

Process Doppelgänging masks a malicious executable by making changes to an executable file that is never committed to disk by overwriting a legitimate file in the context of a transaction. A section of the transaction is overwritten with code that points to the malicious app, which is then loaded. This creates a process based on the modified executable and enables arbitrary code to run in the context of a legitimate process.

As the malicious process is launched from the transacted file, it appears to be legitimate when it is checked by security software. And, because it doesn't require the creation of any files during the process, antivirus products may have a hard time detecting it using signature scans.

Kaspersky Lab has already discovered a variant of the SynAck ransomware using this circumvention and detection technique to greatly improve its stealth and infection capability. The new SynAck variant checks the status of an infected machine against a hardcoded list of countries and languages. Attacks have been recorded in the United States, Kuwait, Germany and Iran, so SynAck is most likely targeting specific user groups. There is no doubt that other hackers will upgrade their malware to make them undetectable.

Implementing Process Doppelgänging does require advanced technical skills and knowledge -- but that isn't in short supply in the cybercrime industry. As this attack technique exploits fundamental features and the core design of the process loading mechanism in Windows, it can affect all versions of Microsoft Windows. Microsoft may not move to address this issue, though, as it is not a vulnerability, but an evasion technique that leverages Microsoft's transaction technology.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing