Process Doppelgänging: Novel Malware Evasion Technique Plant On All Windows Versions

Influenza A virus subtype H5N1 squad of safety researchers has discovered a novel malware evasion technique that could attention malware authors defeat virtually of the modern antivirus solutions too forensic tools.

Dubbed Process Doppelgänging, the novel fileless code injection technique takes wages of a built-in Windows constituent too an undocumented implementation of Windows procedure loader.

Ensilo safety researchers Tal Liberman too Eugene Kogan, who discovered the Process Doppelgänging attack, presented their findings today at Black Hat 2017 Security conference held inward London.

Process Doppelgänging Works on All Windows Versions

Apparently, Process Doppelgänging assail plant on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.

Tal Liberman, the caput of the query squad at enSilo, told The Hacker New that this malware evasion technique is like to Process Hollowing—a method showtime introduced years agone past times attackers to defeat the mitigation capabilities of safety products.

In Process Hollowing attack, hackers supersede the retention of a legitimate procedure alongside a malicious code thence that the instant code runs instead of the original, tricking procedure monitoring tools too antivirus into believing that the master copy procedure is running.

Since all modern antivirus too safety products receive got been upgraded to uncovering Process Hollowing attacks, piece of job of this technique is non a bang-up sentiment anymore.

On the other hand, Process Doppelgänging is an solely dissimilar approach to accomplish the same, past times abusing Windows NTFS Transactions too an outdated implementation of Windows procedure loader, which was originally designed for Windows XP, but carried throughout all subsequently versions of Windows.

Here's How the Process Doppelgänging Attack Works:

Before going farther on how this novel code injection assail works, you lot bespeak to empathise what Windows NTFS Transaction is too how an aggressor could leverage it to evade his malicious actions.

NTFS Transaction is a characteristic of Windows that brings the concept of atomic transactions to the NTFS file system, allowing files too directories to last created, modified, renamed, too deleted atomically.

NTFS Transaction is an isolated infinite that allows Windows application developers to write file-output routines that are guaranteed to either succeed completely or neglect completely.

According to the researcher, Process Doppelgänging is a fileless assail too plant inward 4 major steps every bit mentioned below:

1. Transact—process a legitimate executable into the NTFS transaction too and thence overwrite it alongside a malicious file.
2. Load—create a retention department from the modified (malicious) file.
3. Rollback—rollback the transaction (deliberately failing the transaction), resulting inward the removal of all the changes inward the legitimate executable inward a means they never existed.
4. Animate—bring the doppelganger to life. Use the older implementation of Windows procedure loader to practise a procedure alongside the previously created retention department (in measuring 2), which is genuinely malicious too never saved to disk, "making it invisible to virtually recording tools such every bit modern EDRs."

Process Doppelgänging Evades Detection from Most Antiviruses

Liberman told The Hacker News that during their query they tested their assail on safety products from Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, too fifty-fifty advance forensic tools.

In gild to demonstrate, the researchers used Mimikatz, a post-exploitation tool that helps extract credentials from the affected systems, alongside Process Doppelgänging to bypass antivirus detection.

When the researchers ran Mimikatz mostly on a Windows operating system, Symantec antivirus solution caught the tool immediately, every bit shown below:

However, Mimikatz ran stealthy, without antivirus displaying whatever alert when executed using Process Doppelgänging, every bit shown inward the icon at top of this article.

Liberman also told us that Process Doppelgänging plant on fifty-fifty the latest version of Windows 10, except Windows 10 Redstone too Fall Creators Update, released before this year.

But due to a dissimilar põrnikas inward Windows 10 Redstone too Fall Creators Update, using Process Doppelgänging causes BSOD (blue covert of death), which crashes users' computers.

Ironically, the crash põrnikas was patched past times Microsoft inward subsequently updates, allowing Process Doppelgänging to run on the latest versions of Windows 10.

I don't aspect Microsoft to rush for an emergency piece that could brand only about software relying on older implementations unstable, but Antivirus companies tin upgrade their products to uncovering malicious programs using Process Doppelgänging or like attacks.

This is non the real showtime fourth dimension when enSilo researchers receive got discovered a malware evasion technique. Previously they discovered too demonstrated AtomBombing technique which also abused a designing weakness inward Windows OS.

In September, enSilo researchers also disclosed a 17-year-old programming fault inward Microsoft Windows kernel that prevented safety software from detecting malware at runtime when loaded into organisation memory.

Share This :