Process Doppleganging attack

Today, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called "Process Doppelgänging."

This new attack works on all Windows versions and researchers say it bypasses most of today's major security products.

Process Doppelgänging is somewhat similar to another technique called Process Hollowing, but with a twist, as it utilizes the Windows mechanism of NTFS Transactions.

Doppelgänging works by utilizing two key distinct features together to mask the loading of a modified executable. By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark.

Process Doppelgänging bypasses most modern AVs

Researchers say malicious code that utilizes Process Doppelgänging is never saved to disk (fileless attack), which makes it invisible to all major security products.

Researchers sucessfully tested their attack on products from Kaspersky, Bitdefender, ESET, Symantec, McAfee, Windows Defender, AVG, Avast, Qihoo 360, and Panda. Furthermore, even advanced forensics tools such as Volatility will not detect it.

In their experiments, researchers used Process Doppelgänging to run Mimikatz, a known utility used for password-stealing operations, "in a stealthy way to avoid detection."

Doppelganging test results

Process Doppelgänging is a fileless attack

"The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine," Tal Liberman & Eugene Kogan, the two enSilo researchers who discovered the attack explained in an email describing their new research.

"Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection.

"In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it's in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind."

Everything looks OK to security products because the malicious process will look legitimate, and will be mapped correctly to an image file on disk, just like any legit process. There will be no "unmapped code," which is usually what security products look for.

The good news and the bad news

The good news is that "there are a lot of technical challenges" in making Process Doppelgänging work, and attackers need to know "a lot of undocumented details on process creation."

The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."

Process Doppelgänging now joins the list of new attack methods discovered in the past year that are hard to detect and mitigate for modern AVs, such as Atom Bombing, GhostHook, and PROPagate.

Research material on Process Doppelgänging will be published on the Black Hat website in the following days.

The article has been updated to remove Norton, Sophos, and Trend Micro from the list of vulnerable products, and add Qihoo 360, due to an email communications mix-up and older test data. Bleeping Computer regrets the error.