A security researcher known by the moniker h3perlinx discovered vulnerabilities in some of the most common ransomware families, including Conti, REvil, LockBit, AvosLocker, and the recently discovered Black Basta.
Security Researcher Discovers Weaknesses in Popular Malware
The discovered weaknesses could be leveraged to prevent file encryption from happening. The researcher analyzed numerous malware strains from the mentioned ransomware groups, and found out that they were all prone to DLL hijacking. Ironically, this method is often used by hackers to inject malicious code into legitimate applications.
If an attacker can get hold of a file on a targeted system (achievable via phishing and remote control), that file can be later executed when the user runs an application vulnerable to DLL hijacking. The technique works specifically on Windows systems by leveraging the way apps search for and load in memory their corresponding DLL files.
Furthermore, a program with insufficient checks can load DLLs from a path outside its directory, thus achieving elevated privileges or executing malicious code. In the case of the vulnerable samples of Conti, REvil, LockBit, LockiLocker, AvosLocker, and Black Basta, h3perlinx said that they exploit could allow code execution to control and terminate the malware in the pre-encryption phase. The exploit code the researcher created should be compiled into a DLL with a specific name to make it possible for the malicious code to recognize it as its own and load it to initiation file encryption.
The researcher provided reports for each analyzed malware piece and discovered weakness, including the sample’s hash, a proof-of-concept code, and a demo video. He has been tracking vulnerable malware in his malvuln project.