Researchers at Quick Heal Security Labs discovered a new strain of the Mailto ransomware that uses a novel way to disguise itself to evade detection and stay invisible for Antivirus products.
The new strain targets Windows devices both of consumers and organizations worldwide using Windows’ explorer[dot]exe (not to be confused with Internet Explorer) to achieve its evasive action act through an innovative form of “process injection.”
There are a lot of malware strains that use a technique called “process hollowing” to create a process in a suspended state and then unmap and replace its memory with malicious code. However, the operators behind the Mailto ransomware use a new method to achieve the same result.
Instead of creating the ‘scapegoat’ process in suspended mode, Mailto ransomware will create it in Debug mode and use debug APIs such as WaitForDebugEvent to perform the actual malicious code injection and have the explorer process execute it.
After successfully injecting the malicious payload, the malware gains persistence on the compromised device by adding a registry RUN entry and deletes system shadow backup copies to prevent the victims from restoring their data after encryption.
This quite sophisticated Mailto strain stores its configuration data including the base64 encrypted ransom note, e-mail addresses used in the ransom note, processes that need to be killed if in execution, whitelisted paths, file names and extensions, and everything else it needs within the .rsrc section of the JSON payload it injects within the explorer process.
After the encryption pass, the infected explorer process kills its parent process, deletes the original sample including the file dropped at %ProgramFiles% and also the RUN entry, trying to eradicate all traces it was ever there.
Mailto ransomware is still being analyzed and it is not yet known if there are any weaknesses in its encryption algorithm that could be used to decrypt locked files for free.
A deeper dive on this can be found on Bleeping Computer: https://www.bleepingcomputer.com/news/security/windows-explorer-used-by-mailto-ransomware-to-evade-detection/