Process Doppelgänging Attack allows evading most security software on all Windows Versions

Discussion in 'malware problems & news' started by Minimalist, Dec 7, 2017.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    http://securityaffairs.co/wordpress/66440/hacking/process-doppelganging-attack.html
     
  2. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    849
    Process Doppelgänging attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.

    It runs undetected by most av's including Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, and Qihoo 360.

    https://thehackernews.com/2017/12/malware-process-doppelganging.html
     
    Last edited: Dec 7, 2017
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    o_O
    I suspect if one is using one of the bypassed AVs that has a HIPS and the process whose memory is being injected is protected by a process modification rule, it will be detected. We will have to wait until presentation details are released to determine what built-in Windows process is being injected.
    https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

    Also of note is both NOD32 and Bitdefender were mentioned. I assume that Eset and Bitdefender IS versions would detect.
     
    Last edited: Dec 7, 2017
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    A bit more detail:
    https://www.scmagazineuk.com/market...roken-by-doppelganging-attack/article/712522/

    First as expected, the malware has to be downloaded. Next, the malware is going after virtual storage using existing NTFS methods to access same. Actually, I am surprised that it took someone this long. I have always considered VS to be vulnerable and an ideal place for malware to hide.

    Wonder if purging VS at shutdown would at least get rid of the persistence aspect of the exploit?
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    There are too many ways to inject code, the Windows OS should really be rewritten, with only the most important API's. On the other hand, every process should be restricted as much as possible, so even if it has been infected it can not perform stuff like making outbound connections and getting access to protected folders.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    That's most likely not going to happen. They prefer to add more code and not to remove it. They don't follow "Less is more" logic.
     
  7. guest

    guest Guest

    +1
     
  8. Tarantula

    Tarantula Guest


     
    Last edited by a moderator: Dec 19, 2017
  9. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,061
    Location:
    DC Metro Area
    "First-Ever Ransomware Found Using Process Doppelgänging Attack to Evade Detection

    Security researchers have spotted the first-ever ransomware exploiting Process Doppelgänging, a new fileless code injection technique that could help malware evade detection...

    Security researchers at Kaspersky Lab have now found the first ransomware, a new variant of SynAck, employing this technique to evade its malicious actions and targeting users in the United States, Kuwait, Germany, and Iran..."

    https://thehackernews.com/2018/05/synack-process-doppelganging.html

    Kaspersky report and analysis:

    https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.