A team of security researchers has discovered a brand new malware evasion technique of which could help malware authors defeat most of the modern antivirus solutions as well as forensic tools.
Dubbed Process Doppelgänging, the brand new fileless code injection technique takes advantage of a built-in Windows function as well as an undocumented implementation of Windows process loader.
Ensilo security researchers Tal Liberman as well as Eugene Kogan, who discovered the Process Doppelgänging attack, presented their findings today at Black Hat 2017 Security conference held in London.
Process Doppelgänging Works on All Windows Versions
Apparently, Process Doppelgänging attack works on all modern versions of Microsoft Windows operating system, starting through Windows Vista to the latest edition of Windows 10.
Tal Liberman, the head of the research team at enSilo, told The Hacker brand new of which This kind of malware evasion technique can be similar to Process Hollowing—a method first introduced years ago by attackers to defeat the mitigation capabilities of security products.
In Process Hollowing attack, hackers replace the memory of a legitimate process that has a malicious code in order of which the second code runs instead of the original, tricking process monitoring tools as well as antivirus into believing of which the original process can be running.
Since all modern antivirus as well as security products have been upgraded to detect Process Hollowing attacks, use of This kind of technique can be not a great idea anymore.
On the various other hand, Process Doppelgänging can be an entirely different approach to achieve the same, by abusing Windows NTFS Transactions as well as an outdated implementation of Windows process loader, which was originally designed for Windows XP, although carried throughout all later versions of Windows.
Here’s How the Process Doppelgänging Attack Works:
Before going further on how This kind of brand new code injection attack works, you need to understand what Windows NTFS Transaction can be as well as how an attacker could leverage the idea to evade his malicious actions.
NTFS Transaction can be a feature of Windows of which brings the concept of atomic transactions to the NTFS file system, allowing files as well as directories to be created, modified, renamed, as well as deleted atomically.
NTFS Transaction can be an isolated space of which allows Windows application developers to write file-output routines of which are guaranteed to either succeed completely or fail completely.
According to the researcher, Process Doppelgänging can be a fileless attack as well as works in four major steps as mentioned below:
- Transact—process a legitimate executable into the NTFS transaction as well as then overwrite the idea that has a malicious file.
- Load—create a memory section through the modified (malicious) file.
- Rollback—rollback the transaction (deliberately failing the transaction), resulting inside removal of all the adjustments inside legitimate executable in a way they never existed.
- Animate—bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which can be actually malicious as well as never saved to disk, “doing the idea invisible to most recording tools such as modern EDRs.”
Process Doppelgänging Evades Detection through Most Antiviruses
Liberman told The Hacker News of which during their research they tested their attack on security products through Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, as well as even advance forensic tools.
In order to demonstrate, the researchers used Mimikatz, a post-exploitation tool of which helps extract credentials through the affected systems, with Process Doppelgänging to bypass antivirus detection.
When the researchers ran Mimikatz generally on a Windows operating system, Symantec antivirus solution caught the tool immediately, as shown below:
However, Mimikatz ran stealthy, without antivirus displaying any warning when executed using Process Doppelgänging, as shown inside image at top of This kind of article.
Liberman also told us of which Process Doppelgänging works on even the latest edition of Windows 10, except Windows 10 Redstone as well as Fall Creators Update, released earlier This kind of year.
although due to a different bug in Windows 10 Redstone as well as Fall Creators Update, using Process Doppelgänging causes BSOD (blue screen of death), which crashes users’ computers.
Ironically, the crash bug was patched by Microsoft in later updates, allowing Process Doppelgänging to run on the latest versions of Windows 10.
I don’t expect Microsoft to rush for an emergency patch of which could make some software relying on older implementations unstable, although Antivirus companies can upgrade their products to detect malicious programs using Process Doppelgänging or similar attacks.
This kind of can be not the very first time when enSilo researchers have discovered a malware evasion technique. Previously they discovered as well as demonstrated AtomBombing technique which also abused a designing weakness in Windows OS.
In September, enSilo researchers also disclosed a 17-year-old programming error in Microsoft Windows kernel of which prevented security software through detecting malware at runtime when loaded into system memory.