Thursday, December 7, 2017

What the security folks always feared - Memory based Malware (No Files) - Process Doppelgänging (poc)



Process Doppelgänging -  Works on All Windows Versions

Attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.

According to the researcher, Process Doppelgänging is a fileless attack and works in four major steps as mentioned below:


  1. Transact—process a legitimate executable into the NTFS transaction and then overwrite it with a malicious file.
  2. Load—create a memory section from the modified (malicious) file.
  3. Rollback—rollback the transaction (deliberately failing the transaction), resulting in the removal of all the changes in the legitimate executable in a way they never existed.
  4.  Animate—bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which is actually malicious and never saved to disk, "making it invisible to most recording tools such as modern EDRs."



For More:
https://thehackernews.com/2017/12/malware-process-doppelganging.html

No comments:

Post a Comment