The attack method can be used to bypass even updated modern AV software and execute malicious codes that are already known to security companies.
The same is done by making fishy things look like legitimate Windows process which can easily circumvent security products. The malware can eventually lead to ransom files, monitor keystrokes, or steal confidential information.
Process Doppelganging is similar to Process Hollowing – a method used by hackers a few years ago but now detected by most security software. The most recent use of Process Hollowing in the case of Scarab ransomware that spread via 12.5 million emails.
Doppelgänging is more advanced and evasive. Also, it’s much harder to detect. The difference lies in how it works. Process Doppelgänging utilizes a feature called Transactional NTFS (TxF) in Windows to make changes to an executable file.
The changes made are never written to the disk, so, it’s a file-less attack that can’t be tracked by an AV software. The modified executable is then loaded using the Windows process loading mechanism. The researchers didn’t tell how they did it.
“The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark”, reads an enSilo blog post.
Potentially, all versions of Windows versions, from Vista to Windows 10, and many leading SV software are affected. The list includes Kaspersky, Bitdefender, ESET, McAfee, Windows Defender, AVG, Avast, Panda, Symantec, etc.
According to the researchers, there is no way a patch could be issued as the attack takes advantage of several fundamental features and core design of process loading in Windows.
There is no vulnerability that’s being exploited; it’s an evasion technique. The researchers submitted their findings to Microsoft but the company won’t address it as they also don’t consider it a vulnerability, researcher Tal Liberman told ZDNet.
However, a sense of relief is that the attack is pretty hard to perform and requires some knowledge that’s not documented by the researchers.
Read more about Process Doppelgänging using this link.
