SynAck targeted ransomware uses the Doppelgänging technique

Discussion in '0-day Release' started by RGiskardR, May 7, 2018.

  1. RGiskardR

    RGiskardR Malware Tester Silver Member

    [​IMG]
    The Process Doppelgänging technique was first presented in December 2017 at the BlackHat conference. Since the presentation several threat actors have started using this sophisticated technique in an attempt to bypass modern security solutions.

    In April 2018, we spotted the first ransomware employing this bypass technique – SynAck ransomware. It should be noted that SynAck is not new – it has been known since at least September 2017 – but a recently discovered sample caught our attention after it was found to be using Process Doppelgänging. Here we present the results of our investigation of this new SynAck variant.

    Anti-analysis and anti-detection techniques

    Process Doppelgänging

    SynAck ransomware uses this technique in an attempt to bypass modern security solutions. The main purpose of the technique is to use NTFS transactions to launch a malicious process from the transacted file so that the malicious process looks like a legitimate one.

    Full reading: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
     
    silversurfer likes this.
  2. Google Adsense

Share This Page