In this article, a new injection technique which is named as “Process Doppelgänging,” is reviewed. This technique was unveiled in at the Black Hat Europe by two security researchers from enSilo. It is important to note that it affects all recent editions of Windows ranging from Windows Vista to Windows 10.
Process Doppelgänging is a similar technique to Process Hollowing. The latter is a technique in which malware will replace a legitimate process with a duplicate one, but with malicious code. For example, even the image name, path and command lines remain unchanged when compared to the legitimate processes in the Windows OS. As a result, Process Doppelgänging appears to be a fileless attack when it is launched.
Process Doppelgänging utilizes the Windows NTFS Transactions. This is a concept based on the atomic transactions of the TFS file (such as create, delete, modify, etc.). The Transactional NTFS (aka TxF) integrates transactions into the NTFS file system, which makes it easier for application developers and administrators to handle any kind of errors and preserve the data integrity.
In other words, with NTFS transactions, many file operations can be performed and based upon the outcome of either accepted or rejected. For example, when the transaction is accepted it is committed; and when it is rejected, it is rolled back. Process Doppelgänging uses these specific features to hide and run the malware.
However, there is more to Process Doppelgänging in the NTFS Transactions, and the specific sequencing is detailed below:
In this phase, a legitimate executable is processed and is overwritten with a malicious file or content. These are the sub-phases:
- First, a transaction is created by using the CreateTransaction command.
- Second, the CreateFileTransacted command is called upon which is used to obtain a transacted file handle. This can be used for all subsequent file operations that require a handle.
- Third, the WriteFile command is then executed which will overwrite the contents of the transacted file with malicious content.
In this phase, a memory section is created from the modified file in step 1. These is the subphase:
- First, a section is created from the transacted file using the NtCreateSection command. This will point out to the malicious executable.
This is the phase which makes the attack fileless. In this phase, the transactions are deliberately rolled backed. This removes all the changes made to the file as described in the first phase) and leaves the original file on the disk. The result of this rollback is the same original file. This is the subphase which makes this possible:
- The transaction is rolled back by using the RollbackTransaction which removed changes from the file system.
This phase indicates as to how the Process Doppelgänging is an evasive technique. For example, researchers have discovered an old command (from Windows XP) which can execute a process from a file that is previously opened (from the first phase). Here are the sub-phases to launch this:
- First, process and thread objects are created using the NtCreateProcessEx and the NtCreateThreadEx commands.
- Second, the Process Parameters are created using the RtlCreateProcessParameters command.
- Third, space is allocated using the VirtualAllocEx command and the parameters created in the previous phase. This is done by using WriteProcessMemory command.
- Fourth, a separate process is started using the NtResumeThread command.
The result is even after the file contents are rollbacked (from the third phase), the process can still be created with the malicious content. This will evade all the AV vendors for the following reasons:
- The disk is never touched
- The infected file is rolled back to the original content.
Research has demonstrated that when a sample in which “mimikatz” was run on a system, it was instantly caught by the AV. However, when the “mimikatz” was executed using the Process Doppelgänging, the AV which was present on the system could not detect it.
It is important to note that the Process Doppelgänging has also been found to be completely evasive for following AV vendors and the respective OS that they were tested upon:
|AV Product||OS tested||Result|
|Windows Defender||Windows 10||Bypass|
|AVG Internet Security||Windows 10||Bypass|
|Qihoo 360||Windows 10||Bypass|
|ESET NOD 32||Windows 10||Bypass|
|Symantec Endpoint Protection||Windows 7 SP1||Bypass|
|McAfee VSE 8.8 Patch 6||Windows 7 SP1||Bypass|
|Kaspersky Endpoint Security 10||Windows 7 SP1||Bypass|
|Kaspersky Antivirus 18||Windows 7 SP1||Bypass|
|Symantec Endpoint Protection 14||Windows 7 SP1||Bypass|
To make the Process Doppelgänging work, it takes a lot of knowledge around undocumented features of CreateProcess command. However, researchers have claimed that there cannot be any patch for this for the following reasons:
- It exploits a fundamental mechanism of the Windows OS loading.
- AV vendors can only develop some detection strategies to counter the Process Doppelgänging.
There implications that will be felt both in short and the long term. However, irrespective of the time frame, the bottom line is that the Process Doppelgänging now seems to be a very covert kind of malware.
For example, it cannot be detected or even traced back by many of the anti-malware software packages and forensics that are available today. Because of this, the Cyber attacker can thus take other forms of malware which are blocked by present-day anti-malware packages and repurpose them to have the ability to penetrate any defense perimeter.
Second, if Process Doppelgänging does become a prevalent vector of attack, it will have crippling consequences for businesses and corporations worldwide. The primary reason for this is that it targets all the recent Windows-based OSs (as described earlier). Given the fact Windows is widely used, it could be safely estimated that a giant majority of the world’s infrastructure could be significantly impeded if this process gets more sophisticated over the course of time.
Third, Process Doppelgänging can also affect those versions of the Windows OS that have been created for home, educational, and government use. As a result, if individuals were to be impacted by this, subsequent Identity Theft attacks could occur with far more dire consequences than the present-day attacks. Also, national security could also be on the line as well.
Lastly, as it was also discussed in the article, the only good news is that this kind of attack is hard to launch because it so far requires an advanced knowledge of the command lines reviewed. This does indeed buy some time from a major Cyber-attack from occurring, but given the level of the sophistication of the Cyber attacker today, this time frame may not last too long.