Security researchers have discovered a new malware evasion method called “Process Doppelgänging”

  • 465
  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    466
    Shares

security researchers from cyber-security firm enSilo have discovered a new code injection method called “Process Doppelgänging” that could help malware creators evade most of the modern antivirus solutions and forensic tools.

The technique was first presented at BlackHat Europe December 7, 2018. The researchers said that the new technique works on all versions of Windows and it can avoid most of the recent major security products.

According to the researchers:
“Doppelgänging works by utilizing two key distinct features together to mask the loading of a modified executable. By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark.”

Researchers were successfully able to test their technique on products from Kaspersky, Bitdefender, ESET, Symantec, McAfee, Windows Defender, AVG, Avast, and Panda. Moreover, even advanced forensics tools will not be able to detect it.

To make this technique works, attackers need to know “a lot of undocumented details on process creation and this is hard. Unfortunately, this attack “cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows.”

The following two tabs change content below.

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

Leave a Reply