Cybersecurity experts at enSilo have discovered a new code injection technique called Process Doppelgänging.
This new attack works on all Windows versions, and experts say it can avoid most of today's popular security products.
Process Doppelgänging is somewhat similar to another technique called Process Hollowing, but it differs in the way it utilizes the Windows mechanism of NTFS Transactions.
Process Doppelgänging uses two key distinct features together to mask the loading of a modified executable.
By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load the modified executable, but the changes we made to the executable file must be returned. The result of this procedure is creating a process from the modified executable file, while deployed security mechanisms remain are ignored.
Process Doppelgänging bypasses the most advanced antivirus solutions
The malicious code used by Process Doppelgänging is never saved to disk (fileless attack), which makes it invisible to all popular security products.
Experts have successfully tested the attack on Kaspersky, ESET, Symantec, McAfee, Norton, Windows Defender, AVG, Sophos, Trend Micro, Avast, and Panda products. Even advanced tools such as Volatility will not detect it.
Experts have used Process Doppelgänging during their experiments to run Mimikatz "in a stealthy way to avoid detection."
Process Doppelgänging is a fileless attack
"The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine," Tal Liberman & Eugene Kogan, the two experts who are discovered the attack.
Security products take everything for normal because the malicious process will look legitimate, and will be mapped correctly to an image file on disk, just like any legit process. There will be no unmapped code, which is usually what security products look for.
The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."