Security researchers have discovered a new malware evasion method called “Process Doppelgänging”

  • 464
  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    465
    Shares

security researchers from cyber-security firm enSilo have discovered a new code injection method called “Process Doppelgänging” that could help malware creators evade most of the modern antivirus solutions and forensic tools.

The technique was first presented at BlackHat Europe December 7, 2018. The researchers said that the new technique works on all versions of Windows and it can avoid most of the recent major security products.

According to the researchers:
“Doppelgänging works by utilizing two key distinct features together to mask the loading of a modified executable. By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark.”

Researchers were successfully able to test their technique on products from Kaspersky, Bitdefender, ESET, Symantec, McAfee, Windows Defender, AVG, Avast, and Panda. Moreover, even advanced forensics tools will not be able to detect it.

To make this technique works, attackers need to know “a lot of undocumented details on process creation and this is hard. Unfortunately, this attack “cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows.”

The following two tabs change content below.

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Leave a Reply