Process Doppelgänging: Novel Malware Evasion Technique Industrial Plant On All Windows Versions

H5N1 squad of safety researchers has discovered a novel malware evasion technique that could assist malware authors defeat around of the modern antivirus solutions in addition to forensic tools.

Dubbed Process Doppelgänging, the novel fileless code injection technique takes payoff of a built-in Windows component in addition to an undocumented implementation of Windows procedure loader.

Ensilo safety researchers Tal Liberman in addition to Eugene Kogan, who discovered the Process Doppelgänging attack, presented their findings today at Black Hat 2017 Security conference held inwards London.

Process Doppelgänging Works on All Windows Versions

Apparently, Process Doppelgänging prepare on plant on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.

Tal Liberman, the caput of the question squad at enSilo, told The Hacker New that this malware evasion technique is like to Process Hollowing—a method outset introduced years agone past times attackers to defeat the mitigation capabilities of safety products.

In Process Hollowing attack, hackers supervene upon the retentivity of a legitimate procedure alongside a malicious code thence that the mo code runs instead of the original, tricking procedure monitoring tools in addition to antivirus into believing that the master copy procedure is running.

Since all modern antivirus in addition to safety products guide maintain been upgraded to respect Process Hollowing attacks, run of this technique is non a dandy consider anymore.

On the other hand, Process Doppelgänging is an alone unlike approach to orbit the same, past times abusing Windows NTFS Transactions in addition to an outdated implementation of Windows procedure loader, which was originally designed for Windows XP, merely carried throughout all subsequently versions of Windows.

Here's How the Process Doppelgänging Attack Works:

Before going farther on how this novel code injection prepare on works, y'all quest to empathise what Windows NTFS Transaction is in addition to how an assailant could leverage it to evade his malicious actions.

NTFS Transaction is a characteristic of Windows that brings the concept of atomic transactions to the NTFS file system, allowing files in addition to directories to survive created, modified, renamed, in addition to deleted atomically.

NTFS Transaction is an isolated infinite that allows Windows application developers to write file-output routines that are guaranteed to either succeed completely or neglect completely.

According to the researcher, Process Doppelgänging is a fileless prepare on in addition to plant inwards 4 major steps every bit mentioned below:

1. Transact—process a legitimate executable into the NTFS transaction in addition to and thence overwrite it alongside a malicious file.
2. Load—create a retentivity department from the modified (malicious) file.
3. Rollback—rollback the transaction (deliberately failing the transaction), resulting inwards the removal of all the changes inwards the legitimate executable inwards a means they never existed.
4. Animate—bring the doppelganger to life. Use the older implementation of Windows procedure loader to practise a procedure alongside the previously created retentivity department (in measuring 2), which is genuinely malicious in addition to never saved to disk, "making it invisible to around recording tools such every bit modern EDRs."

Process Doppelgänging Evades Detection from Most Antiviruses

Liberman told The Hacker News that during their question they tested their prepare on on safety products from Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, in addition to fifty-fifty advance forensic tools.

In gild to demonstrate, the researchers used Mimikatz, a post-exploitation tool that helps extract credentials from the affected systems, alongside Process Doppelgänging to bypass antivirus detection.

When the researchers ran Mimikatz to a greater extent than oftentimes than non on a Windows operating system, Symantec antivirus solution caught the tool immediately, every bit shown below:

However, Mimikatz ran stealthy, without antivirus displaying whatever alert when executed using Process Doppelgänging, every bit shown inwards the picture at top of this article.

Liberman also told us that Process Doppelgänging plant on fifty-fifty the latest version of Windows 10, except Windows 10 Redstone in addition to Fall Creators Update, released before this year.

But due to a unlike põrnikas inwards Windows 10 Redstone in addition to Fall Creators Update, using Process Doppelgänging causes BSOD (blue covert of death), which crashes users' computers.

Ironically, the crash põrnikas was patched past times Microsoft inwards subsequently updates, allowing Process Doppelgänging to run on the latest versions of Windows 10.

I don't await Microsoft to rush for an emergency piece that could brand to a greater extent than or less software relying on older implementations unstable, merely Antivirus companies tin upgrade their products to respect malicious programs using Process Doppelgänging or like attacks.

This is non the rattling outset fourth dimension when enSilo researchers guide maintain discovered a malware evasion technique. Previously they discovered in addition to demonstrated AtomBombing technique which also abused a designing weakness inwards Windows OS.

In September, enSilo researchers also disclosed a 17-year-old programming fault inwards Microsoft Windows kernel that prevented safety software from detecting malware at runtime when loaded into organisation memory.