Kransom Ransomware Attack Leverages DLL Side-Loading and Valid Certificates
Date:
September 12, 2024
Cybersecurity researchers have uncovered a new strain of ransomware, known as Kransom, which is being camouflaged as a popular game to avoid detection, HackRead reports.
This sophisticated malware leverages DLL side-loading techniques to deploy its payload, utilizing a legitimate digital certificate issued by COGNOSPHERE PTE. LTD., adding an extra layer of credibility to its malicious activities.
Kransom is embedded within a modified version of StarRail, a legitimate game used as a decoy to deceive users. The ransomware operates by exploiting a DLL file stored within the game’s directory, where the malware’s encrypted code resides.
This attack exemplifies DLL side-loading, a technique where a seemingly trustworthy executable loads a malicious DLL, thereby compromising the execution flow. To evade detection, the ransomware’s code within the DLL is encrypted using XOR, a basic but effective method of obfuscation.
The malicious payload is activated once the infected StarRailBase.dll file is loaded by the executable, initiating the ransomware attack. Without this compromised DLL, the ransomware remains dormant, ensuring the genuine game functions as expected, further obscuring the attack from unsuspecting users.
Takeaway: Kransom's use of trusted platforms, like legitimate games such as StarRail, highlights the increasingly sophisticated tactics cybercriminals employ to infiltrate systems while remaining undetected.
What makes Kransom particularly dangerous is its use of a valid certificate from COGNOSPHERE PTE. LTD. By signing the malware with a trusted certificate, it manages to bypass conventional security systems, which typically flag unsigned or suspicious software.
This tactic allows the ransomware to pose as legitimate software, reducing the chances of it being flagged by antivirus programs or other protective measures.
While the game itself is safe when downloaded and used in its unaltered form, Kransom exploits its architecture by embedding malicious code in the same installation directory. This subtle strategy makes it difficult for users to notice anything unusual, underscoring the complexity of modern ransomware.
Ransomware tactics have evolved significantly. Operators are no longer limited to simplistic, spray-and-pray attacks, but now leverage advanced techniques such as DLL side-loading and the exploitation of zero-day vulnerabilities.
Traditionally, these kinds of tactics were associated with nation-state actors. However, the distinction between state-sponsored attackers and cybercriminals has blurred, with ransomware groups increasingly adopting these sophisticated methods to increase the efficacy of their attacks.
The limitations of legacy security tools have become apparent, as they were not designed to counter the specific threat posed by ransomware. As a result, even well-established endpoint security solutions like EPP/EDR/XDR are often circumvented, allowing ransomware to disrupt organizations with devastating consequences.
While many ransomware attacks still target organizations with poor security hygiene, there is a growing trend of more advanced attack sequences using refined techniques.
Ransomware has become a highly profitable business, generating billions in revenue. This financial success has enabled attackers to reinvest in their operations, hiring skilled developers to continuously innovate.
These experts focus on refining techniques to evade detection, steal sensitive data, and increase encryption speed. The use of DLL side-loading, for instance, is not entirely new but remains relatively rare, as seen in high-profile attacks like the REvil breach of Kaseya in 2021.
In that attack, a signed, legitimate software update was used to deliver the ransomware payload in a supply chain attack, resulting in the compromise of numerous downstream victims.
What makes these attacks particularly challenging to defend against is the use of legitimate applications with valid certificates to deliver the malicious payload. Even the most stringent security hygiene cannot fully prevent such tactics.
This is why operational resilience, in addition to strong security measures, is critical. Security Operations Center (SOC) analysts can take certain precautions to detect these threats.
For instance, they can monitor for unsigned DLLs loaded by executables, inspect suspicious loading paths, and compare timestamps between executable compilation and DLL loading times. Legitimate executables generally follow a consistent naming convention, while malicious DLLs may have generic or unusual path names.
In addition, significant gaps between the compilation time of the executable and the loaded DLL could be a red flag for malicious activity. However, attackers may also employ "timestomping" techniques to manipulate timestamps and further complicate detection.
Defending against these increasingly sophisticated ransomware attacks requires a multifaceted approach, combining detection of subtle anomalies with broader operational strategies that emphasize resilience in the face of persistent threats.
Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.