The Kransom ransomware has been found embedded within the StarRail gaming application, employing DLL side-loading tactics alongside a legitimate certificate from COGNOSPHERE PTE. LTD. This malware successfully evades detection while delivering its encrypted payload. Analysts can study this threat within the interactive sandbox provided by ANY.RUN.
Investigators at ANY.RUN have unveiled that the Kransom ransomware masquerades as gameplay software to steer clear of security protocols. Utilizing DLL side-loading, this ransomware executes its harmful payload by leveraging a valid certificate from COGNOSPHERE PTE. LTD., thereby enhancing its disguise and complicating detection efforts.
Overview of Kransom Ransomware
Disguised within the StarRail game, Kransom ransomware cleverly uses the familiarity of legitimate software to manipulate users. By storing a DLL file in the game’s directory, this malware contains its malicious encrypted code, a technique known as DLL side-loading that allows it to hijack the application’s execution.
The execute process adheres to a technique where a harmless-looking executables loads malicious components, complicating security responses and enhancing the stealth of the ransomware.
Legitimate Certificate with Malicious Intent
A particularly insidious feature of Kransom is its reliance on a legitimate certificate from COGNOSPHERE PTE. LTD. This enables the ransomware to circumvent standard security barriers, misleading systems into perceiving the software as benign. The manipulation of trusted certificates allows the malware to execute its objectives under the radar of many traditional security systems.
The malicious actions transpire when the executable loads the StarRailBase.dll file, triggering the ransomware’s attack sequence. This demonstrates the effective use of a seemingly harmless DLL file to initiate a serious threat.
How Kransom Ransomware Works
Researchers can analyze the operational mechanics of Kransom ransomware by submitting samples into a malware analysis environment like ANY.RUN. Such controlled settings enable qualitative investigations of malware interactions from the initiation phase to the execution of its payload.
In this case, the legitimate StarRail game acts as a facade for the ransomware, which requires the malicious StarRailBase.dll file to function effectively. This DLL serves as the carrier for the ransomware’s encrypted payload, initiated by the game’s executable file.
It’s important for users to recognize that the StarRail game, produced by HoYoverse, remains secure when utilized in its original form. However, Kransom utilizes the game’s directory structure to infiltrate and install its harmful code, making detection challenging for end users.
The ransomware’s code, located within the DLL, is encrypted with XOR encryption, which obscures its detection capabilities. Analytical tools like ANY.RUN provide clarity into what has been obscured, assisting security analysts in identifying the underlying threat.
Upon activation, users encounter a notification reading: “I believe you’ve encountered some problems. Email to hoyoverse for solutions.” This serves both as a manipulation tactic and a method of further engaging victims into a cycle of panic.
For business owners wanting to delve deeper into this malware, a search for other samples in ANY.RUN’s TI Lookup tool could yield valuable insights.
Try ANY.RUN Sandbox for Free
Business owners interested in understanding malware and phishing threats can create a free account with ANY.RUN to analyze their own samples within a fully interactive Windows 10 x64 or Linux VM environment. The cloud sandbox allows users to engage directly with files and URLs, mirroring typical computer interactions, including downloading attachments and solving CAPTCHAs.
For those seeking additional functionality such as private sessions and collaboration capabilities, a 14-day trial can be requested through ANY.RUN’s official website, providing further resources for comprehensive security analysis.
RELATED TOPICS
- Analysis of Top Infostealers: Redline, Vidar and Formbook
- New Ransomware Locks Files & Asks Victims to Play PUBG Game
- This Ransomware Tells Users to Play a Japanese Game – That’s All
- PythonAnywhere Cloud Platform Abused for Hosting Ransomware
- New Ransomware Asks User to Play a Game While Encrypting Data
Source Link : https://hackread.com/ransomware-disguised-game-kransoms-attack-dll-side-loading/
