Halim Abouzeid

SynAck Ransomware's Behavior in RSA NetWitness Endpoint

Blog Post created by Halim Abouzeid Employee on May 14, 2018

A new variant of the SynAck ransomware has been seen in the wild using Process Doppleganging to evade detection. The malware has been seen in multiple geographies, including USA, Europe and the Middle East.


The blog below shows how RSA NetWitness Endpoint is able to detect the malicious behavior of SynAck even when the malware is using evasion techniques.


After getting infected with the malware, RSA NetWitness Endpoint, based on the detected behaviors of the malware, assigned a high risk score to the inftected machine (in this case, a score of 835 out of a maximum of 1024).



If we then look at the modules that are part of the malware, we can see:

- synack.exe with a high IIOC score, high Risk Score and a hash reputation tagged as "Malicious"

- Memory DLLs with high risk IIOC and Risk scores, which are the code loaded in memory to evade detection

- The text file that shows up to the victim once infected, also with a high IIOC score due to its behavior (set to be opened at startup)


The triggered behaviors by these processes can be seen below:


From this list we can point out a few, such as:

- "Suspected thread & Floating module", which as mentioned earlier refers to the DLLs loaded in memory to evade detection (but detected by RSA NetWitness Endpoint)

- "Autorun", this behavior is due to the readme file to display the directions to the victim on how to pay the ransom, as well as a copy of the msiexec.exe file with a valid Microsoft signature and hash stored in the App Data directory and set to run at startup


By looking at more details about the autorun settings in scanned data, we can see exactly what is configured to run at startup.



As for the Memory DLLs loaded by msiexec.exe showing in the Suspicious Threads:




If we now look at the information we have around the msiexec.exe module, we can see that even though it has a valid signature from Microsoft, its score has been increased by RSA NetWitness Endpoint due to multiple suspicious behaviors, such as:

- It's location in an unusual folder

- It modifies the registry key to run at startup

- Accesses a large number of documents in a short period of time (which is typical of ransomware due to the encryption of all the file)



By checking the path of msiexec.exe we can see that it is located in 2 locations, 1 of which is unusual (in "\AppData\Roaming\").



If we look at the tracking data we have for the malware, we can see the following behaviors.

1- the malware is manually executed

2- it then checks for running processes

3- it copies "msiexec.exe" to the "\AppData\Roaming\" folder

4- it kills excel.exe (which is one of the processes it watches to kill. among a longer list of 100+ processes)

5- it deletes the original dropper

6- it starts encrypting the documents

7- it modifies the run registry key to open a text file with the instruction on how to pay the ransom every time the workstation starts

8- it continues encrypting the documents

9- it opens the text file with the instructions on how to pay the ransom


The following is the message displayed to the user once the infection is completed.




This shows how RSA NetWitness Endpoint can detect an infection, and track behaviors of that malware, even when using advanced technique to evade detection.