security researchers from cyber-security firm enSilo have discovered a new code injection method called “Process Doppelgänging” that could help malware creators evade most of the modern antivirus solutions and forensic tools.
The technique was first presented at BlackHat Europe December 7, 2018. The researchers said that the new technique works on all versions of Windows and it can avoid most of the recent major security products.
According to the researchers:
“Doppelgänging works by utilizing two key distinct features together to mask the loading of a modified executable. By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark.”
Researchers were successfully able to test their technique on products from Kaspersky, Bitdefender, ESET, Symantec, McAfee, Windows Defender, AVG, Avast, and Panda. Moreover, even advanced forensics tools will not be able to detect it.
To make this technique works, attackers need to know “a lot of undocumented details on process creation and this is hard. Unfortunately, this attack “cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows.”