Tuesday, January 21, 2025
Homecyber securityNew Contacto Ransomware Evades AV Detection & Uses Windows Console for Execution

New Contacto Ransomware Evades AV Detection & Uses Windows Console for Execution

Published on

SIEM as a Service

Follow Us on Google News

In early January 2025, a new ransomware strain identified as Contacto surfaced, showcasing advanced techniques designed to bypass conventional security measures.

This analysis provides insights into its operational mechanisms, particularly suited for professionals venturing into ransomware analysis.

Operational Mechanisms

Upon execution, Contacto ransomware employs the GetConsoleWindow() and ShowWindow() functions to retrieve and conceal its command prompt, ensuring stealth during execution.

It establishes a mutex named ContactoMutex to prevent multiple instances of itself from running simultaneously.

To maximize its control over the infected system, Contacto escalates privileges.

It iterates through a predefined list of security privileges such as SeDebugPrivilege and SeTakeOwnershipPrivilege and utilizes the SetPrivileges() function to enable these rights via the AdjustTokenPrivileges API.

This escalation allows the ransomware to manipulate system files and settings effectively.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Encryption Process

Contacto employs an innovative threading model that enhances the efficiency of file encryption.

Ransomware Evades AV Detection
Threading Model Used In Ransomware

By determining the number of available processors, the system creates double the number of threads, which facilitates a streamlined workflow.

Each thread is tasked with executing a worker function dedicated to file access.

This design ensures sequential access and modification rights through meticulous error handling, thereby minimizing the risk of disruptions and optimizing resource utilization.

The encryption process begins with dynamic key generation, where Contacto produces two cryptographic keys: a primary key (32 bytes) and a secondary key (8 bytes).

These keys are generated using a hybrid random number generator, ensuring a strong foundation of randomness.

To further bolster security, the keys undergo hashing through iterative SHA-256 rounds, which guarantees that each file is encrypted with a unique key combination.

According to the research, this approach significantly enhances the security of the encryption process, making it resilient against potential decryption attempts.

In addition to its threading and key generation strategies, Contacto utilizes a chunk-based encryption method.

Rather than encrypting entire files, the system focuses on specific segments, such as headers and footers, utilizing adaptive chunk sizes tailored to the performance capabilities of the system and the size of the files.

This targeted approach not only speeds up the encryption process but also helps maintain a degree of file integrity, rendering recovery efforts more complex and challenging for unauthorized users.

By optimizing performance while safeguarding the content, Contacto effectively balances security and efficiency in its encryption procedures.

The ransomware’s final acts include modifying system configurations, such as disabling Windows Defender through registry manipulation and deleting backup copies to hinder recovery attempts.

Ransomware Evades AV Detection
Ransom Note

Additionally, it implements a visual alteration of the victim’s desktop by changing the wallpaper to display a ransom note.

The Contacto ransomware represents a sophisticated threat, employing advanced techniques for system infiltration, data encryption, and stealth operations, making it a critical subject for ongoing cybersecurity vigilance and analysis.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

PoC Exploit Released for TP-Link Code Execution Vulnerability(CVE-2024-54887)

A security researcher, exploring reverse engineering and exploit development, has successfully identified a critical...

Brave Browser Vulnerability Allows Malicious Website Appears as Trusted One

A security vulnerability has been identified in Brave Browser, potentially allowing malicious websites to...

Beware! Fake SBI Reward APK Attacking Users to Deliver Android Malware

A recent phishing campaign has targeted customers of SBI Bank through a deceptive message...

Gootloader Malware Employs Blackhat SEO Techniques To Attack Victims

The Gootloader malware family employs sophisticated social engineering tactics to infiltrate computers.By leveraging...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Microsoft Rolls Out New Administrator Protection Feature Under Windows Security

Microsoft has announced the release of Windows 11 Insider Preview Build 27774 to the...

Ransomware Attack Forces UK Brit High School to Close Doors For Students

A ransomware attack has compelled UK Brit, a prominent British high school, to close...

FunkSec Ransomware Dominating Ransomware Attacks, Compromised 85 Victims In December

FunkSec is a RaaS operator that makes use of artificial intelligence and demonstrates how...