Dubbed RIPlace, the technique enables malware to circumvent defenses by using the old “rename” file system and security investigators claim it is effective against systems that are patched and run modern antivirus solutions in good time. RIPlace, the researchers say, can be used to switch files on any Windows XP device or newer Microsoft operating system versions. The researchers note in a detailed report on the findings that most ransomware works by opening and reading the original file, encrypting content in the memory, then writing encrypted content to it / saving an encrypted file and removing the original file or saving the encrypted file, and then re-use Rename to replace that file. When a request for a rename is named (FileRenameInformationClass set to IRP MJ SET INFORMATION), the filter driver gets a callback. If DefiniteDosDevice (a legacy feature that allows a symlink) is named before Rename, the researchers found that an arbitrary device name can be passed along with the original file path as the target. The problem is that the callback function filter driver “fails to decode the destination path using the normal FltGetDestinationFileName Info.” Although an error is returned by passing a DosDevice path, the Rename call succeeds. “With this strategy, the antivirus /anti-ransomware products which are not handling IRP MJ SET INFORMATION callback can also be maliciously encrypted and bypassed. “We assume that malicious actors will exploit this technique to bypass security products that rely on FltGetDestinationFileNameInformation as well as prevent any recording of EDR products for such operation,” the researchers clarify. In spring 2019, the investigators found the methodology and had contact with Microsoft, security vendors, law enforcement and regulators. Unfortunately, only a handful of technology vendors have accepted a patch given the effect of hundreds. Nyotron has released two videos that show how it can bypass Symantec Endpoint Protection (SEP) and Microsoft Defender Antivirus (Defender AV) and has published a free tool that allows anyone to test their RIPlace evasion software systems and security products.
