Over the past few months, a new ransomware threat has appeared, Conti ransomware. The ransomware has already been thoroughly researched by Carbon Black’s research team. Recently, we came across a new variant with a surprising new capability to bypass security products, by removing the hooks set to capture its malicious activity.
Hooking is a common method security solutions utilize to analyze and identify malicious behavior. The internals of the hooking process are not in the scope of the article, but a good overview of the technique can be found here.
The Unhooking Process:
Conti creates a mapping of some of its imported dlls from disk (using the functions CreateFileMappingW and MapViewOfFile). It then iterates through the exported functions of each imported dll, comparing the first byte with 0xe9 or 0xff (jmp instruction opcodes in x86 assembly).
If a matching instruction is found in the beginning of a function, the ransomware will compare the beginning of the memory resident code with its disk counterpart. Once a discrepancy is found, the malware will copy the disk function, overwriting the hooked version and removing the API hook.
The file mapping:
Comparing the first byte of each function with 0xe9 (jmp):
Preventing Conti Infection:
Minerva prevents the unhooking process, thus preventing this strain of Ransomware prior encryption (infection):
This new Conti’s functionality is evidence that malware developers are evolving their tools to evade detection by studying the internals of security tools, we should expect this type of techniques to become a norm.