ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
Today, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called “Process Doppelgänging.”
This new attack works on all Windows versions and researchers say it bypasses most of today’s major security products.
Process Doppelgänging is somewhat similar to another technique called Process Hollowing, but with a twist, as it utilizes the Windows mechanism of NTFS Transactions.
Doppelgänging works by utilizing two key distinct features together to mask the loading of a modified executable. By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark.
Process Doppelgänging bypasses most modern AVs
Researchers say malicious code that utilizes Process Doppelgänging is never saved to disk (fileless attack), which makes it invisible to all major security products.
Researchers sucessfully tested their attack on products from Kaspersky, Bitdefender, ESET, Symantec, McAfee, Norton, Windows Defender, AVG, Sophos, Trend Micro, Avast, and Panda. Furthermore, even advanced forensics tools such as Volatility will not detect it.
In their experiments, researchers used Process Doppelgänging to run Mimikatz, a known utility used for password-stealing operations, “in a stealthy way to avoid detection.”
Process Doppelgänging is a fileless attack
“The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine,” Tal Liberman & Eugene Kogan, the two enSilo researchers who discovered the attack explained in an email describing their new research.
“Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection.
“In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it’s in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind.”
Everything looks OK to security products because the malicious process will look legitimate, and will be mapped correctly to an image file on disk, just like any legit process. There will be no “unmapped code,” which is usually what security products look for.
The good news and the bad news
The good news is that “there are a lot of technical challenges” in making Process Doppelgänging work, and attackers need to know “a lot of undocumented details on process creation.”
The bad news is that the attack “cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows.”
Research material on Process Doppelgänging will be published on the Black Hat website in the following days.
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.