Process Doppelgänging attack works on all Windows versions

07.12.2017

Process-Doppelgänging

 

Cybersecurity experts at enSilo have discovered a new code injection technique called Process Doppelgänging.

This new attack works on all Windows versions, and experts say it can avoid most of today's popular security products.

Process Doppelgänging is somewhat similar to another technique called Process Hollowing, but it differs in the way it utilizes the Windows mechanism of NTFS Transactions.

Process Doppelgänging uses two key distinct features together to mask the loading of a modified executable.

By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load the modified executable, but the changes we made to the executable file must be returned. The result of this procedure is creating a process from the modified executable file, while deployed security mechanisms remain are ignored.

Process Doppelgänging bypasses the most advanced antivirus solutions

The malicious code used by Process Doppelgänging is never saved to disk (fileless attack), which makes it invisible to all popular security products.

Experts have successfully tested the attack on Kaspersky, ESET, Symantec, McAfee, Norton, Windows Defender, AVG, Sophos, Trend Micro, Avast, and Panda products. Even advanced tools such as Volatility will not detect it.

Experts have used Process Doppelgänging during their experiments to run Mimikatz "in a stealthy way to avoid detection."

 

Process-Doppelgänging

 

Process Doppelgänging is a fileless attack

"The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine," Tal Liberman & Eugene Kogan, the two experts who are discovered the attack.

Security products take everything for normal because the malicious process will look legitimate, and will be mapped correctly to an image file on disk, just like any legit process. There will be no unmapped code, which is usually what security products look for.

The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."

Would you like to comment on this article?

Share

Latest news

15.12.2017

Hacker removed malware from Netgear site, the company failed to do so for 2 years

An anonymous hacker has removed malware from a Netgear site after the company failed to clean up a malware infection for more than two years.

15.12.2017

Hacker robbed church in Northern Ireland

The hacker told the priest that the church computer should be remotely accessible to fix an internet problem.

15.12.2017

Synaptics to remove keylogger from its drivers

The company has decided to remove the keylogger functionality from its products.

Sign up for our online newsletter!