Researchers by cybersecurity firm Nyotron has discovered a new way that lets windows malware to modify files in a unique style that current anti-ransomware solutions are unable to identify.



The technique [1] exploits documented Windows file system rename operations, altering also the content of files (and eventually encrypt it), in a way that makes them invisible to security products’ filter drivers [2]:

Every time a Rename request is being called (specically, 3IRP_MJ_SET_INFORMATION with FileInformationClass set to FileRenameInformation), the lter driver gets a callback, so that it could lter the request. If prior to calling Rename, we call DeneDosDevice (a legacy function that creates a symlink), we can pass an arbitrary name as the device name, and the original le path, as the target to point on. This way we can get our device "XY" to refer to "C:\passwords.txt".

The RIPlace discovery is that in the callback function lter driver fails to parse the destination path when using the common routine FltGetDestinationFileNameInformation. It returns an error when passing a DosDevice path (instead of returning the path, post-processed); however, the Rename call succeeds.

Using this technique, it is possible to maliciously encrypt les and bypass antivirus/anti-ransomware products that do not properly handle IRP_MJ_SET_INFORMATION callback.

We believe that malicious actors may abuse this technique in order to bypass security products that rely on FltGetDestinationFileNameInformation routine as well as avoid any recording of such activity by EDR products.

This technique is applicable on all versions of Microsoft Windows starting from Windows XP to the latest updated Windows 10 with fully up-to-date AV, NGAV and EDR security products installed.

Researchers also published a short demonstration video, where RIPlace technique was used to bypass Windows Defender:

https://www.youtube.com/watch?v=S2On-R6ecik


Nyotron followed the responsible disclosure policy by informing Microsoft, security vendors and all relevant law enforcement and regulatory authorities.
Further, it released a free testing tool [3] to check vulnerability on Windows systems.


References

  1. RIPlace | Nyotron
  2. RIPlace Evasion Technique
  3. RIPlace testing tool