On Thursday, at the BlackHat Europe 2017 security conference in London, two security researchers from the cyber-security firm ‘enSilo’ have demonstrated a new code injection attack technique called “Process Doppelganging,” where all versions of Windows are said to be vulnerable.
According to researchers, the attack method can be used to bypass even updated modern AV software and execute malicious codes that are already known to security companies.
Process Doppelganging is somewhat similar to Process Hollowing – a technique used by attackers a few years ago to cross the mitigation capabilities of security products but now detected by most of today’s major security products. But, Process Doppelgänging is more advanced and evasive. It is much harder to detect – let alone prevent.
Unlike Process Hollowing, Process Doppelgänging utilizes the Windows mechanism of NTFS Transactions to make changes to an executable file. The changes made are never written to the disk, so it resembles like fileless attack, that can’t be tracked by any security scanners and advanced forensic tools. The modified executable is then loaded using the Windows process loading mechanism.
“Doppelgänging works by utilizing two key distinct features together to mask the loading of a modified executable. By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms in the dark,” reads an enSilo blog post.
Evasion techniques usually depend upon the memory manipulation, but researchers here uses windows loader and abuses it to load their code to evade security scanners. The researchers didn’t tell how they did it.
Who Does This Affect?
According to the researchers, there is no way a patch could be issued as the attack takes advantage of several fundamental features and core process of the windows loading mechanism. However, it is also hard for attackers to implement Doppelgänging as it requires a keen understanding of Binaries and process creations that’s not documented by the researchers. It’s a sense of relief though!
A full copy of the research material on Process Doppelgänging is available from the enSilo website where you can also register for a free webinar that will look at the attack and how to defend against it.