Windows “Process Doppelgänging” Attack Fools Major Anti-Virus Software #BlackHatEurope

At the BlackHat Europe 2017 conference, security researchers from enSilo demonstrated a new code injection attack for Windows OS called “Process Doppelganging.”

The attack method can be used to bypass even updated modern AV software and execute malicious codes that are already known to security companies.

The same is done by making fishy things look like legitimate Windows process which can easily circumvent security products. The malware can eventually lead to ransom files, monitor keystrokes, or steal confidential information.

Process Doppelganging is similar to Process Hollowing – a method used by hackers a few years ago but now detected by most security software. The most recent use of Process Hollowing in the case of Scarab ransomware that spread via 12.5 million emails.

Doppelgänging is more advanced and evasive. Also, it’s much harder to detect. The difference lies in how it works. Process Doppelgänging utilizes a feature called Transactional NTFS (TxF) in Windows to make changes to an executable file.

The changes made are never written to the disk, so, it’s a file-less attack that can’t be tracked by an AV software. The modified executable is then loaded using the Windows process loading mechanism. The researchers didn’t tell how they did it.

“The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark”, reads an enSilo blog post.

Potentially, all versions of Windows versions, from Vista to Windows 10, and many leading SV software are affected. The list includes Kaspersky, Bitdefender, ESET, McAfee, Windows Defender, AVG, Avast, Panda, Symantec, etc.

According to the researchers, there is no way a patch could be issued as the attack takes advantage of several fundamental features and core design of process loading in Windows.

There is no vulnerability that’s being exploited; it’s an evasion technique. The researchers submitted their findings to Microsoft but the company won’t address it as they also don’t consider it a vulnerability, researcher Tal Liberman told ZDNet.

However, a sense of relief is that the attack is pretty hard to perform and requires some knowledge that’s not documented by the researchers.

Read more about Process Doppelgänging using this link.

More of BlackHat Europe: Hackers Turn On “GOD MODE” To Hack Intel ME Chip Like A Boss
Aditya Tiwari

Aditya Tiwari

Aditya likes to cover topics related to Microsoft, Windows 10, Apple Watch, and interesting gadgets. But when he is not working, you can find him binge-watching random videos on YouTube (after he has wasted an hour on Netflix trying to find a good show). Reach out at [email protected]
More From Fossbytes

Latest On Fossbytes

Find your dream job