We will discuss Process Doppelgänging In this article.
In this article, a new injection technique called “Process Doppelgänging” is reviewed. The technique was revealed at Black Hat Europe by two security researchers from enSilo. It is important to note that this affects all the latest editions of Windows from Windows Vista to Windows 10.
Introduction to Process Doppelgänging
Process Doppelgänging is a similar technique to Process Hollowing. This is a technique where malware replaces a legitimate process with a duplicate but malicious code. For example, even the image name, path, and command lines remain unchanged compared to legitimate Windows OS processes. As a result, the Doppelgänging process appears to be a fileless attack when launched.
Process Doppelgänging uses Windows NTFS transactions. This is a concept based on the atomic transactions of a TFS file (such as create, delete, modify, etc.). Transactional NTFS (aka TxF) integrates transactions into the NTFS file system, making it easier for application developers and administrators to resolve any kind of errors and maintain data integrity.
In other words, many file operations can be performed with NTFS transactions based on either an accepted or rejected result. For example, when a transaction is accepted, it is confirmed; and when rejected, it is returned. Process Doppelgänging uses these specific features to hide and run malware.
However, there is more to the Doppelgänging process in NTFS transactions, and the specific sequencing is detailed below:
In this phase, the legitimate executable file is processed and is overwritten by a malicious file or content. These are sub-phases:
First, a transaction is created using the CreateTransaction command.
Second, the CreateFileTransacted command is called, which is used to get the transaction file handle. This can be used for all subsequent file operations that require a handle.
Third, a WriteFile command is then executed to overwrite the contents of the transacted file with malicious content.
In this phase, a memory section is created from the edited file in step 1. This is a subphase:
First, a section is created from the transaction file using the NtCreateSection command. This will alert you to a malicious executable.
This is the stage that makes the attack fileless. In this phase, transactions are intentionally rolled. This will remove all changes made to the file as described in the first stage) and leave the original file on disk. This rollback results in the same original file. This is the subphase that makes it possible:
The transaction is rolled back using RollbackTransaction, which removed the changes from the file system.
This phase shows how procedural doppelgänging is an evasive technique. For example, researchers discovered an old command (from Windows XP) that can start a process from a file that was previously opened (from the first stage). Here are the sub-phases to launch:
First, process and thread objects are created using the NtCreateProcessEx and NtCreateThreadEx commands.
Second, process parameters are created using the RtlCreateProcessParameters command.
Third, space is allocated using the VirtualAllocEx command and the parameters created in the previous phase. This is done using the WriteProcessMemory command.
Fourth, the NtResumeThread command starts a separate process.
As a result, even after the file contents are returned (from the third stage), the process may still be created with malicious content. This will avoid all AV vendors for the following reasons:
The disc never touches
The infected file is reverted back to its original contents.
Research showed that when a sample containing “mimikatz” was run on the system, AV was immediately captured. However, when the “mimikatz” was performed using Process Doppelgänging, the AV present in the system could not detect it.
It is important to note that Process Doppelgänging was also found to be completely avoidable for the following AV vendors and the respective OSes they were tested on:
For the Doppelgänging process to work, it requires a lot of knowledge about the undocumented functions of the CreateProcess command. However, the researchers claimed that there could be no patch for it due to the following reasons:
It uses the basic Windows OS loading mechanism.
AV vendors can only develop some detection strategies to counter process doppelgänging.
There are consequences that will play out in both the short and long term. However, regardless of the time frame, the bottom line is that Process Doppelgänging now appears to be a very stealthy type of malware.
For example, it cannot be detected or even traced back by many of the anti-malware software packages and forensics tools available today. Because of this, a cyber attacker can take other forms of malware that are blocked by current anti-malware packages and transform them to have the ability to penetrate any defensive perimeter.
Second, if Process Doppelgänging becomes a prevalent attack vector, it will have crippling consequences for businesses and corporations worldwide. The main reason is that it targets all the latest Windows-based operating systems (as described earlier). Since Windows is widely used, it’s safe to assume that the vast majority of the world’s infrastructure could be significantly disrupted if this process becomes more sophisticated over time.
Third, Process Doppelgänging can also affect those versions of the Windows operating system that were created for home, educational, and government use. As a result, if an individual were to be affected, subsequent identity theft attacks could occur with far worse consequences than today’s attacks. National security could also be threatened.
Finally, as mentioned in the article, the only good news is that this kind of attack is difficult to launch, as it still requires advanced knowledge of controlled command lines. This does take some time off from the occurrence of a major cyber attack, but given the level of sophistication of the cyber attacker today, that time frame may not last very long.