Researchers at endpoint security firm enSilo have identified a new attack that affects all Windows versions and allows attackers to use Microsoft Windows features to evade detection in prominent anti-virus products and infect a targeted device with malicious programs including malware.
Dubbed ‘Process Doppelgänging‘ by Tal Liberman and Eugene Kogan of EnSilo, the attack was demonstrated during Black Hat Europe 2017 security conference in London earlier today. Doppelgänging, a fileless code injection technique, works in such a manner that an attacker can manipulate the way Windows handles its file transaction process and pass malicious files even if the code is known to be malicious.
According to security duo “The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine.”
“Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfS
“In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it is in the transaction is not possible by the vendors we checked so far (some even hang), and since we rollback the transaction, our activity leaves no trace behind.”
[q]’Doppelgänger’ in the German language means “Ghostly Double.”[/q]
The attack affects all Windows versions starting from Windows Vista to Windows 10, however, Windows 10 Redstone and Fall Creators Update are not affected. Furthermore, researchers conducted a series of tests on different popular anti-virus products including AVG, Avast, Bitdefender, ESET NOD32, Panda, Symantec, Kaspersky, McAfee, Qihoo 360, Windows Defender and advanced forensics tools yet the attack went undetected.
“Doppelgänging works by utilizing two key distinct features together to mask the loading of a modified executable. By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms in the dark.”
What is worse is that the attack “cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows” and does not require any files to be created. The good news somehow is that since the attack requires “a lot of undocumented details on process creation” it might be challenging for attackers to carry such attacks.