A newly found Home windows malware packer named TangleCrypt has emerged as a critical risk in ransomware assaults, particularly designed to evade endpoint detection and response (EDR) options.
The packer was first noticed throughout a September 2025 ransomware incident involving Qilin ransomware, the place risk actors deployed it alongside the ABYSSWORKER driver to disable safety instruments earlier than encrypting sufferer programs.
TangleCrypt works by hiding malicious payloads by way of a number of layers of encoding, compression, and encryption. The unique executable is saved inside PE sources utilizing base64 encoding, LZ78 compression, and XOR encryption.
This multi-layer strategy makes it troublesome for conventional safety instruments to detect the precise malware hidden contained in the packed executable.
WithSecure Labs safety researchers recognized the malware throughout an incident response investigation, recovering artifacts together with two executables full of TangleCrypt and VMProtect, together with a kernel driver masquerading as a CrowdStrike Falcon Sensor driver.
The payload embedded in these executables was recognized as STONESTOP, an EDR-killer instrument that makes use of the ABYSSWORKER driver to terminate safety processes working on the system forcibly.
The packer employs string encryption and dynamic import resolving to hinder each static and dynamic evaluation.
Though malware authors generally use these methods, the TangleCrypt implementation lacks superior anti-analysis mechanisms, making handbook unpacking comparatively easy for knowledgeable analysts.
Payload Execution Mechanism
TangleCrypt helps two distinct strategies for launching its payload, decided by a configuration string appended to the embedded executable.
The primary technique, recognized by the string “exex64_amd64_block_”, decrypts and executes the payload throughout the similar course of reminiscence.
The second technique, marked with “exex64_amd64__riin”, creates a suspended little one course of and writes the decrypted payload into it earlier than resuming execution.
ProcessMonitor log of ‘b1.exe’ beginning little one technique of itself (Supply – Withsecure Labs)
When executed, the loader first decrypts a small useful resource entry containing a numeric key, similar to “175438”. This secret is then used to XOR-decrypt the bigger payload saved within the PE sources.
The decryption course of follows a particular sequence the place a base64-encoded string is decoded, then LZ78 decompressed, decoded once more from base64, and at last XOR-decrypted to disclose the unique executable.
Upon profitable unpacking, the STONESTOP payload checks for administrative privileges and registers the ABYSSWORKER driver if elevated rights are current.
The motive force then terminates processes matching a predefined listing of safety product names, successfully blinding the system’s defenses earlier than ransomware deployment begins.
Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most popular Supply in Google.
