SynAck Attack Uses Manual Downloads, RDP Brute-Force Entry

Researchers recently spotted one fresh sample of SynAck a ransomware which's currently employing Process Doppelganging that too is a new technique for bypassing anti-virus programs. No other ransomware has ever used this technique, state the researchers.

With both the newly identified Process Doppelganging and SynAck, the discoverer of the former are Ensilo security investigators who made their presentation at the December held security conference of Black Hat 2017 inside London. The technique has similarity with Process Hollowing a hacking method wherein con actors change certain legitimate process' memory to substitute it with malware, thus circumventing tools of anti-virus monitoring.

According to chief malware analyst Anton Ivanov with Kaspersky Lab, companies require being knowledgeable about threat actors who now execute targeted assaults by employing ransomware. These threat actors have started employing customized ransomware in combination of complex methodologies for evading security software, Ivanov notes.

SynAck's creators with their latest version are employing one combination of manual downloads and brute-force assaults via RDP (remote desktop protocol) for installing their malicious software onto attack-prone systems. Darkreading.com posted this, May 7, 2018.

Earlier when crooks brute-forced their entry into servers through exposed alternatively poorly-secured RDPs, SynAck's original edition was one to get proliferated. And since the current edition doesn't involve any malicious spam campaign to push the malware, it's quite possible that crooks continue to employ the same tactic for the proliferation of the new SynAck too.

Kaspersky says the SynAck authors are utilizing the non-standard packaging method of Process Doppelganging for concealing the malware from AV detection. For that they forge tailored PE packers' utilization for safeguarding the Trojan's actual code.

Researchers state the most recent assaults are extremely personalized, with a few noticed within USA, Germany, Iran and Kuwait. The attacks involve high ransom demands up to $3,000. To encrypt files the algorithm AES-256-ECB is used accompanied with an arbitrarily generated decoder while after encryption, filenames are added with arbitrarily generated extensions.

SynAck is crafted for thwarting processes such as database applications, virtual machines, gaming apps and backup systems so that it's simpler for grabbing highly precious documents that may otherwise have linkages with some running process.

» SPAMfighter News - 5/15/2018