Process Doppelgänging attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10. It runs undetected by most av's including Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, and Qihoo 360. https://thehackernews.com/2017/12/malware-process-doppelganging.html
I suspect if one is using one of the bypassed AVs that has a HIPS and the process whose memory is being injected is protected by a process modification rule, it will be detected. We will have to wait until presentation details are released to determine what built-in Windows process is being injected. https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf Also of note is both NOD32 and Bitdefender were mentioned. I assume that Eset and Bitdefender IS versions would detect.
A bit more detail: https://www.scmagazineuk.com/market...roken-by-doppelganging-attack/article/712522/ First as expected, the malware has to be downloaded. Next, the malware is going after virtual storage using existing NTFS methods to access same. Actually, I am surprised that it took someone this long. I have always considered VS to be vulnerable and an ideal place for malware to hide. Wonder if purging VS at shutdown would at least get rid of the persistence aspect of the exploit?
There are too many ways to inject code, the Windows OS should really be rewritten, with only the most important API's. On the other hand, every process should be restricted as much as possible, so even if it has been infected it can not perform stuff like making outbound connections and getting access to protected folders.
That's most likely not going to happen. They prefer to add more code and not to remove it. They don't follow "Less is more" logic.
"First-Ever Ransomware Found Using Process Doppelgänging Attack to Evade Detection Security researchers have spotted the first-ever ransomware exploiting Process Doppelgänging, a new fileless code injection technique that could help malware evade detection... Security researchers at Kaspersky Lab have now found the first ransomware, a new variant of SynAck, employing this technique to evade its malicious actions and targeting users in the United States, Kuwait, Germany, and Iran..." https://thehackernews.com/2018/05/synack-process-doppelganging.html Kaspersky report and analysis: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/