Security News "Process Doppelgänging" Attack Works on All Windows Versions

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,176
Today, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called "Process Doppelgänging."

This new attack works on all Windows versions and researchers say it bypasses most of today's major security products.

Process Doppelgänging is somewhat similar to another technique called Process Hollowing, but with a twist, as it utilizes the Windows mechanism of NTFS Transactions.

"Doppelgänging works by utilizing two key distinct features together to mask the loading of a modified executable. By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark."

Process Doppelgänging bypasses most modern AVs
Researchers say malicious code that utilizes Process Doppelgänging is never saved to disk (fileless attack), which makes it invisible to all major security products.

Researchers sucessfully tested their attack on products from Kaspersky, Bitdefender, ESET, Symantec, McAfee, Norton, Windows Defender, AVG, Sophos, Trend Micro, Avast, and Panda. Furthermore, even advanced forensics tools such as Volatility will not detect it.

In their experiments, researchers used Process Doppelgänging to run Mimikatz, a known utility used for password-stealing operations, "in a stealthy way to avoid detection."

Doppleganging-tests.png


Process Doppelgänging is a fileless attack
"The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine," Tal Liberman & Eugene Kogan, the two enSilo researchers who discovered the attack explained in an email describing their new research.

"Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection.

"In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it's in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind."

Everything looks OK to security products because the malicious process will look legitimate, and will be mapped correctly to an image file on disk, just like any legit process. There will be no "unmapped code," which is usually what security products look for.

The good news and the bad news
The good news is that "there are a lot of technical challenges" in making Process Doppelgänging work, and attackers need to know "a lot of undocumented details on process creation."

The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."

Process Doppelgänging now joins the list of new attack methods discovered in the past year that are hard to detect and mitigate for modern AVs, such as Atom Bombing, GhostHook, and PROPagate.

Research material on Process Doppelgänging will be published on the Black Hat website in the following days.
Click to expand...
 
  • Like
Reactions: Parsh, DeepWeb, TairikuOkami and 17 others
D

Deleted member 65228

1. PsSetLoadImageNotifyRoutine.
-> Wait until NTDLL.DLL is loaded.
->> Now you can check the creation time/other characteristics by reading the Process Environment Block data of the process (ZwQueryInformationProcess).
->>> New process start-up.

2. New process start-up is identified.
-> Quickly scan the memory to determine whether the image in memory matches the image on-disk which is allegedly the image for the process.
->> Bad results indicates the image in memory has been modified such as via an attack like process hollowing. Precautions can be taken to not blatantly flag for innocent in-memory patches, but only for heavy modifications (which process hollowing would come as under).

Alternative, less-good and less-stable method below.
1. Intercept whichever routines are being called to perform the attack whilst bypassing AVs.
2. Flag it based on parameters -> block.

Problem solved. If the malicious code doesn't touch disk then the image on disk won't match the image in memory when a thorough analysis on memory is performed.
 
  • Like
Reactions: Der.Reisende, Weebarra, AtlBo and 9 others
D

Deleted member 65228

I also assume that handle hijacking is still utilised to change the entry-point of the image in memory after the malicious code has replaced the legitimate code of the target for the process hollowing attack. Therefore mitigating thread hijacking (a technique for code injection -> after virtual memory operations to have the malicious code stored in the memory of the target process -> hijack the thread by modifying the context data so it points to the address of the malicious code) should also still mitigate this new method of process hollowing.

Unless I completely misunderstood, but there's lack of detail and no PoC source code so hard for me to know really. If it works differently by manipulating file-system routines/spoofing data so the code for a malicious PE is used by the Windows Loader instead then the image in memory checks would still work fine for identification.
 
  • Like
Reactions: Der.Reisende, Weebarra, AtlBo and 7 others
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Process Doppelgänging: New Malware Evasion Technique Works On All Windows Versions
...
...
Liberman also told us that Process Doppelgänging works on even the latest version of Windows 10, except Windows 10 Redstone and Fall Creators Update, released earlier this year.

But due to a different bug in Windows 10 Redstone and Fall Creators Update, using Process Doppelgänging causes BSOD (blue screen of death), which crashes users' computers.

Ironically, the crash bug was patched by Microsoft in later updates, allowing Process Doppelgänging to run on the latest versions of Windows 10.
...
 
  • Like
Reactions: TairikuOkami, Der.Reisende, Weebarra and 7 others
TairikuOkami

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,486
vemn said:
Pardon me as I'm still learning.
I still don't quite understand the entry point of Doppelgänging.
Click to expand...
Same here. Technical details are supposed to be released in a few days. I can not wait, but I do not expect it to be challenging, after all it uses Mimikatz.

I do not even have SamSs running, I wish malware a good luck exploiting that. :)
 
  • Like
Reactions: silversurfer
D

Deleted member 65228

I want to add a quick note here...

A lot of vendors do not appear to be capable of blocking normal process hollowing, therefore why would those same vendors block a new technique for it? I really doubt that Windows Defender, Bitdefender, ESET, Panda and maybe even Avast as well will block it through behavioural analysis. Kaspersky will with Application Control, Emsisoft certainly will with their Behavior Blocker, Comodo have HIPS which mitigates code injection in general (it should happily catch out process hollowing), G-Data/Qihoo may also mitigate it.

Avast is really unpredictable when it comes to behavioural analysis. I've performed extensive testing with it over the duration of weeks for general code injection (DLL injection & code-cave) and seen a whole wide range of results from one instance being blocked and then the same attack being allowed on a re-test, or buggy interception code forcing a crash instead of displaying an alert about the behavior. I noticed Avast now inject a DLL into monitored processes for their Behavioural Shield, I didn't bother checking which routines they hook but I suspect the bug I ran into would have been buggy callback code for interception of either NtWriteVirtualMemory or NtCreateThreadEx/NtQueueApcThread.
 
Last edited by a moderator:
  • Like
Reactions: silversurfer and shmu26
D

Deleted member 65228

I apologise, I misread. The article doesn't state it is a process hollowing technique, it mentions it is an attack alike it. You can discard my previous posts because I messed up, I should have read it properly. :oops::oops:

Transact – Overwrite legitimate executable with a malicious one • Load – Load malicious executable • Rollback – Rollback to original executable • Animate – Bring the Doppelgänger to life
Click to expand...
Source: https://www.blackhat.com/docs/eu-17...Lost-In-Transaction-Process-Doppelganging.pdf

The technique works by overwriting the image with the rogue copy, executing it in memory and then having the modification reverted back. However I believe that if you do a proper scan of memory comparing the image in memory to the image on disk, it should still be picked up because after reverting the modification, the images won't match.

But still... If an AV cannot block an attack like process hollowing (not all of them cannot, some will without an issue) then those same ones I doubt will be capable of tackling an attack like this. So I think the tested products should have been chosen more carefully...
 
  • Like
Reactions: Solarquest, silversurfer and TairikuOkami
You must log in or register to reply here.

Similar threads

vtqhtr413
    • Like
    • +Reputation
Mockingjay Process Injection Technique Could Let Malware Evade Detection
Replies
4
Views
1,147
News Archive
Sandbox Breaker
Sandbox Breaker
silversurfer
    • Like
    • +Reputation
    • Wow
Fruity Trojan Uses Deceptive Software Installers to Spread Remcos RAT
Replies
4
Views
1,303
News Archive
Xeno1234
Xeno1234
Ink
    • Wow
    • Like
Cloudflare DDoS protections bypassed using Cloudflare flaw [PoC]
Replies
4
Views
1,327
News Archive
Numeriku
Numeriku

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top