Researchers Uncover 'Process Ghosting' — A New Malware Evasion Technique


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Cybersecurity researchers have disclosed a new executable image tampering attack dubbed "Process Ghosting" that could be potentially abused by an attacker to circumvent protections and stealthily run malicious code on a Windows system.

"With this technique, an attacker can write a piece of malware to disk in such a way that it's difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk," Elastic Security researcher Gabriel Landau said. "This technique does not involve code injection, Process Hollowing, or Transactional NTFS (TxF)."

Process Ghosting expands on previously documented endpoint bypass methods such as Process Doppelgänging and Process Herpaderping, thereby enabling the veiled execution of malicious code that may evade anti-malware defenses and detection.

Process Doppelgänging, analogous to Process Hollowing, involves injecting arbitrary code in the address space of a legitimate application's live process that can then be executed from the trusted service. Process Herpaderping, first detailed last October, describes a method to obscure the behavior of a running process by modifying the executable on disk after the image has been mapped in memory.

The evasion works because of "a gap between when a process is created and when security products are notified of its creation," giving malware developers a window to tamper with the executable before security products can scan it.