Process Doppelgänging Utilized by Popular Malware Families to Evade Detection

Off lately, the file-less code injection technique known as the Process Doppelgänging is being widely and actively used by not only just one or two but a large number of malware families in the world, as stated by the new report.  Process Doppelgänging has been discovered late in 2017 and has been identified as the file-less variation of the Process Injection technique that takes the advantage of built-in windows to function in order to evade the detection and also works on all modern versions of the Microsoft Windows operating system.

Image Source:

As revealed from the sources, the Process Doppelgänging attack works by utilizing a feature of the Windows going by the name Transactional NTFS (TxF) to launch a malicious process by replacing the memory of the legitimate process tricking process monitoring tools and antivirus into believing that the legitimate process is running. Following this is that, a few months after the discovery of this technique,  a variant of the SynAck ransomware became the first-ever malware exploiting the Process Doppelgänging technique and as well as targeting users in the United States, Kuwait, Germany, and Iran. This was followed by the researchers discovering a dropper or loader for the Osiris banking Trojan that at the same time was also using this technique in combination with the previously discovered similar malware evasion technique going by the name Process Hollowing.

Image Source:

Currently, it has turned out that it was not just the SynAck or the Osiris, but over 20 different malware families have been using malware loaders that leverage this hybrid implementation of Process Doppelgänging attack to evade detection such as  FormBook, LokiBot, SmokeLoader, AZORult, NetWire, njRat, Pony stealer, and GandCrab ransomware. Soon after analyzing the hundreds of malware samples, the security researchers at enSilo had discovered at least seven distinct versions of such a loader, which they dubbed as “TxHollower,” used by various malware authors.

Leave a Reply

Open chat