Researchers at Quick Heal Security Labs have discovered a new strain of the “Mailto” ransomware nicknamed “Netwalker" that uses the art of deception to evade detection. The new strain targets Enterprises users and Windows devices using Explorer.exe (not Internet Explorer) to do its evasive action act through a form of “process injection.” This is a slight deviation from methods commonly used by most ransomware relying on process hollowing by hiding in the computers suspended “processes.”
The new ransomware strain of “mailto” uses the debug API and gets Explorer.exe to start its execution, and then proceeds to eliminate all of its traces when completed. All configuration and instructions are stored in a base 64 encrypted ransom note.
The Process of Deceptive Processes Described by Quick Heal
According to Quick Heal Security Labs “the Mailto or Netwalker performs process hollowing in explorer.exe. This helps in evading the Anti-Virus software (AVs) to easily perform the encryption.
In process hollowing, usually, the target process is created in suspended mode, and the injection is carried out. But here the process is not created in suspended mode— rather, it uses the ‘Debug’ mode.”
To perform further injection activity, it gets the process and thread details using debug APIs like WaitForDebugEvent.”
“One should take care and should not completely trust those processes that appear to be legitimate [and] that ultimately might help malware to bypass security products. Here, the injection through process hollowing is done in explorer.exe , which itself makes it very difficult to make its presence perceptible. Moreover, while creating the process for injection, instead of using a suspended mode, it is using the not so commonly used ‘Debug’ mode. This makes AV prevention techniques [prone] to fail.”
Quick Heal reminds us that ransomware authors also employ “social engineering” deception tradecraft when engineering the architecture of their ransomware to fool AV and security products with an old technique known as the art of deception. Knowbe4's Chief Hacking Officer, and famous security researcher Kevin Mitnick has a best selling book by that name.
Get the full story at: