New Contacto Ransomware Evades AV Detection & Uses Windows Console for Execution

On January 21, 2025, cybersecurity experts unveiled a detailed analysis of the Contacto Ransomware, a newly identified threat that surfaced earlier this month.

This ransomware demonstrates advanced evasion techniques, suggesting a reliance on established ransomware frameworks while incorporating novel features.

Ransomware Initialization and Privilege Escalation

The Contacto Ransomware initiates its operations by establishing a concealed execution environment.

Utilizing the Windows API, it retrieves the console window handle and subsequently hides it, ensuring its presence remains unnoticed.

A mutex, labeled ContactoMutex, is created to limit execution to a single instance. If an existing mutex is detected, execution ceases.

In order to maximize its capabilities, the ransomware enhances its privileges by iterating through a predefined list, enabling critical system access points via the SetPrivileges() function.

Contacto Ransomware
Changed Wallpaper

This function employs the AdjustTokenPrivileges API to facilitate various privileges, including:

  • SeDebugPrivilege: Grants debugging capabilities across processes.
  • SeRestorePrivilege: Allows restoration of files and directories.
  • SeBackupPrivilege: Bypasses standard file permissions.
  • SeTakeOwnershipPrivilege: Enables ownership of files.
  • SeAuditPrivilege: Permits alterations to audit settings.
  • SeSecurityPrivilege: Provides access to sensitive security operations.

Encryption Mechanism and Data Obfuscation

The encryption phase utilizes a sophisticated multithreading model, optimizing file processing across available CPU resources.

Contacto Ransomware
Threading Model Used In Ransomware

The ransomware creates multiple threads twice the number of processors to streamline file encryption tasks via an I/O completion port.

The core encryption operation employs a dual-key architecture:

  1. A Primary Key (32 bytes) generated through a hybrid random number generator.
  2. A Secondary Key (8 bytes) derived from a cascading hash-based algorithm.

The ransomware encrypts files in adaptive chunks, applying a multi-stage XOR transformation interspersed with bitwise operations to obfuscate data.

According to the research, each key undergoes iterative SHA-256 hashing, ensuring uniqueness and complexity within the encryption stream.

Furthermore, key whitening and permutation steps add additional layers of security, masking the keys’ actual values and shuffling bytes for enhanced confidentiality.

By incorporating these advanced techniques, the Contacto Ransomware poses a significant challenge to existing cybersecurity measures, necessitating immediate attention from IT security professionals.

Indicators of Compromise (IOCs)

MD5
f36c5298b988e68aa15f72223a445e6d
SHA-1
c4f497b7fac36733f445f3f72c392ea7cadcde8c
SHA-256
7ec702b0b999799eb6de4c960814ab46c004536c42085e2cf77a516c4b6ed4e3

Also Read:

Mandvi
Mandvi
Mandvi is a Security Reporter covering data breaches, malware, cyberattacks, data leaks, and more at Cyber Press.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here