TangleCrypt: The New Windows Packer Empowering Ransomware to Evade Detection
In the ever-evolving landscape of cybersecurity threats, a new adversary has emerged: TangleCrypt. This sophisticated Windows malware packer is specifically engineered to facilitate ransomware attacks by circumventing endpoint detection and response (EDR) systems. Its discovery in September 2025, during a Qilin ransomware incident, has raised significant concerns among cybersecurity professionals.
Unveiling TangleCrypt’s Mechanisms
TangleCrypt employs a multi-layered approach to obfuscate malicious payloads, making detection and analysis challenging. The process begins with the original executable being embedded within the Portable Executable (PE) resources. This embedding utilizes base64 encoding, LZ78 compression, and XOR encryption, creating a complex web that traditional security tools struggle to penetrate.
Security researchers at WithSecure Labs identified TangleCrypt during an incident response investigation. They recovered artifacts, including executables packed with TangleCrypt and VMProtect, alongside a kernel driver masquerading as a legitimate CrowdStrike Falcon Sensor driver. The embedded payload was identified as STONESTOP, an EDR-killer tool that leverages the ABYSSWORKER driver to forcibly terminate security processes on the system.
Payload Execution Strategies
TangleCrypt supports two distinct methods for executing its payload, determined by a configuration string appended to the embedded executable:
1. In-Process Execution: Identified by the string exex64_amd64_block_, this method decrypts and executes the payload within the same process memory.
2. Child Process Execution: Marked with exex64_amd64__riin, this approach creates a suspended child process, writes the decrypted payload into it, and then resumes execution.
Upon execution, the loader decrypts a small resource entry containing a numeric key, such as 175438. This key is then used to XOR-decrypt the larger payload stored in the PE resources. The decryption sequence involves base64 decoding, LZ78 decompression, another round of base64 decoding, and final XOR decryption to reveal the original executable.
The Role of STONESTOP and ABYSSWORKER
Once unpacked, the STONESTOP payload checks for administrative privileges. If elevated rights are present, it registers the ABYSSWORKER driver. This driver is instrumental in terminating processes associated with security products, effectively neutralizing the system’s defenses and paving the way for ransomware deployment.
Implications for Cybersecurity
The emergence of TangleCrypt underscores the increasing sophistication of malware designed to evade detection. Its multi-layered obfuscation techniques and integration with tools like STONESTOP and ABYSSWORKER highlight the need for advanced security measures.
Recommendations for Defense
To mitigate the threat posed by TangleCrypt, organizations should consider the following strategies:
– Enhanced Detection Mechanisms: Implement advanced behavioral analysis tools capable of identifying anomalies associated with TangleCrypt’s obfuscation techniques.
– Regular System Audits: Conduct frequent audits to detect unauthorized drivers or processes that may indicate the presence of TangleCrypt or similar malware.
– User Education: Train employees to recognize phishing attempts and other common vectors used to deliver malware like TangleCrypt.
– Patch Management: Ensure all systems are up-to-date with the latest security patches to reduce vulnerabilities that TangleCrypt could exploit.
Conclusion
TangleCrypt represents a significant advancement in malware designed to facilitate ransomware attacks while evading detection. Its discovery serves as a stark reminder of the evolving threats in the cybersecurity landscape and the necessity for continuous vigilance and adaptation in defense strategies.
