Process Doppelgänging: The newest malware evasion technique

Security researchers from cyber-security firm enSilo have discovered a new code injection method called “Process Doppelgänging” that could help malware creators evade most of the modern antivirus solutions and forensic tools.

The technique was first presented at BlackHat Europe December 7, 2018. The researchers said that the new technique works on all versions of Windows and it can avoid most of the recent major security products.

Before going further on how this new code injection attack works, you need to understand what Windows NTFS Transaction is and how an attacker could leverage it to evade his malicious actions.

NTFS Transaction is a feature of Windows that brings the concept of atomic transactions to the NTFS file system, allowing files and directories to be created, modified, renamed, and deleted atomically.

NTFS Transaction is an isolated space that allows Windows application developers to write file-output routines that are guaranteed to either succeed completely or fail completely.

According to the researcher, Process Doppelgänging is a fileless attack and works in four major steps as mentioned below:

1. Transact: process a legitimate executable into the NTFS transaction and then overwrite it with a malicious file.
2. Load: create a memory section from the modified (malicious) file.
3. Rollback: rollback the transaction (deliberately failing the transaction), resulting in the removal of all the changes in the legitimate executable in a way they never existed.
4. Animate: bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which is actually malicious and never saved to disk, "making it invisible to most recording tools such as modern EDRs."

How does it work:

Doppelgänging works by utilizing two key distinct features together to mask the loading of a modified executable. By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark.

Researchers were successfully able to test their technique on products from Kaspersky, Bitdefender, ESET, Symantec, McAfee, Windows Defender, AVG, Avast, and Panda. Moreover, even advanced forensics tools will not be able to detect it.

To make this technique works, attackers need to know a lot of undocumented details on process creation and this is hard. Unfortunately, this attack “cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows.

 Process Doppelgänging works on even the latest version of Windows 10, except Windows 10 Redstone and Fall Creators Update, released earlier this year.

But due to a different bug in Windows 10 Redstone and Fall Creators Update, using Process Doppelgänging causes BSOD (blue screen of death), which crashes users' computers.

Ironically, the crash bug was patched by Microsoft in later updates, allowing Process Doppelgänging to run on the latest versions of Windows 10.

I don't expect Microsoft to rush for an emergency patch that could make some software relying on older implementations unstable, but Antivirus companies can upgrade their products to detect malicious programs using Process Doppelgänging or similar attacks.