Kransom Ransomware Exploits DLL Side-Loading and Certificate Misuse
Threat Group: Kransom
Threat Type: Ransomware
Exploited Vulnerabilities: Unpatched software vulnerabilities, phishing
Malware Used: Kransom Ransomware
Threat Score: High (8/10) — Advanced evasion techniques and use of legitimate digital certificates make detection challenging
Last Threat Observation: September 2024, verified through multiple cybersecurity sources
Overview
Kransom ransomware is a newly identified ransomware strain as of September 2024. It camouflages itself within a modified version of the game StarRail, employing DLL side-loading—a technique where legitimate software is tricked into loading a malicious Dynamic Link Library (DLL). By using an altered version of the StarRailBase.dll
file, Kransom operates undetected by many security solutions.
Key Details
- Delivery Mechanism: Kransom is embedded in a legitimate-looking StarRail game installer. When the game is executed, the malicious DLL is loaded, triggering the ransomware’s encryption process.
- Encryption Technique: Utilizes XOR encryption to obscure data effectively, causing significant damage while remaining lightweight.
- Digital Certificate Exploitation: The malicious payload is signed with a valid certificate from COGNOSPHERE PTE. LTD., a legitimate entity. This exploitation makes detection difficult, as the software appears trusted.
- DLL Side-Loading: Kransom places its malicious DLL in the same directory as legitimate game files. Leveraging Windows' DLL handling, it ensures execution during normal software operation, complicating detection by standard security tools.
Attack Vectors
- Phishing Emails: Users are tricked into downloading a modified game installer via phishing campaigns, initiating the infection.
- Unpatched Software: Exploits known vulnerabilities in unpatched systems, particularly through remote services like Remote Desktop Protocol (RDP).
Indicators of Compromise (IoCs)
- Suspicious Network Traffic: Unusual outbound connections when launching StarRail or other modified software.
- File Extensions: Presence of files with the
.kransom
extension. - File Renaming and Encryption: Unusual renaming of files and encryption of backups or system-critical files.
- Modified DLL Files: Existence of a modified
StarRailBase.dll
in the application's directory.
Mitigation and Prevention
- Software Integrity Checks: Regularly verify the integrity of installed software to detect unauthorized modifications.
- Endpoint Security: Deploy Endpoint Detection and Response (EDR) solutions to monitor for DLL side-loading attempts and anomalous system behaviors.
- Regular Patching: Keep all software and operating systems updated to prevent exploitation of known vulnerabilities.
- Certificate Validation: Implement stringent validation of digital certificates, scrutinizing even valid certificates for unexpected usage.
- Offline Backups: Maintain encrypted, offline backups to safeguard against data loss during ransomware attacks.
Conclusion
Kransom ransomware represents a sophisticated threat that combines DLL side-loading with the misuse of legitimate digital certificates. Its ability to hide within trusted software highlights the critical need for advanced security measures, including robust system activity monitoring and rigorous application integrity checks.
Sources
- Halcyon AI, "Kransom Ransomware Attack Leverages DLL Side-Loading and Valid Certificates," September 2024. Halcyon - Recent Ransomware Attacks
- HackRead, "Ransomware Disguised as a Game: Kransom’s Attack Through DLL Side-Loading," September 2024. HackRead Article