Hackers commonly exploit vulnerabilities in corporate networks to gain access, but a researcher has turned the table by finding exploits in the most common ransomware and malware being distributed today.
Malware from notorious ransomware operations like Conti, the revived REvil, the newcomer Black Basta, the highly active LockBit, or AvosLocker, all came with security issues that could be exploited to stop the final and most damaging step of the attack, file encryption.
Exploit code available
Analyzing malware strains from these ransomware gangs, a security researcher named hyp3rlinx found that the samples were vulnerable to DLL hijacking, a method usually leveraged by attackers to inject malicious code into a legitimate application.
For each malware piece analyzed, the researcher provides a report that describes the type of vulnerability found, the hash of the sample, a proof-of-concept (PoC) exploit, and a demo video.
DLL hijacking works on Windows systems only and exploits the way applications search for and load in memory the Dynamic Link Library (DLL) files they need.
A program with insufficient checks can load a DLL from a path outside its directory, elevating privileges or executing unwanted code.
For vulnerable ransomware samples from Conti, REvil, LockBit, Black Basta, LockiLocker, and AvosLocker, the researcher says that their exploit allows executing code to “control and terminate the malware pre-encryption.”
To leverage the vulnerabilities in the malware from the above gangs, the researcher created exploit code that needs to be compiled into a DLL with a specific name so that the malicious code recognizes as its own and loads it to start encrypting the data.
Below is a video of the researcher exploiting a DLL hijacking vulnerability in REvil ransomware to terminate the malware before the encryption process begins.
To defend against these ransomware families, hyp3rlinx says that the DLL can be placed in a location where cybercriminals are likely to run their ransomware, such as a network location with important data.
Once the exploit DLL is loaded, the ransomware process should terminate before starting the data encryption operation.
The researcher notes that while malware can terminate security solutions on the compromised machine, it can’t do anything against DLLs since they are just files stored on the host’s disk, inert until loaded.
It is unclear what versions of the ransomware malware hyperlinx found to be vulnerable to DLL hijacking.
If the samples are new, it is likely that the exploit will work only for a short time because ransomware gangs are quick to fix bugs, especially when they hit the public space.
Even if these findings prove to be viable for a while longer, companies targeted by ransomware gangs still run the risk of having important files stolen and leaked, as exfiltration to pressure the victim into paying a ransom is part of this threat actor’s modus operandi.
However, hyperlinx’s exploits could prove useful at least to prevent operational disruption, which can cause significant damage.
More vulnerable malware
hyp3rlinx’s tracks their work under the Malvuln project, which focuses on finding vulnerabilities in various malware pieces, from trojans and backdoors to spyware and infostealers.
The latest report from the researcher on vulnerabilities in malware is for RedLine, an information stealer that has become widely popular on hacker forums
It collects sensitive information such as logins from web browsers, messaging platforms (Telegram, Discord), FTP clients, Steam, and it also targets cryptocurrency wallets.