What is Process doppelganging?
Understanding Process Doppelganging : A Threat to Cybersecurity and Antivirus Software
Process Doppelgänging is a cutting-edge malware evasion technique designed to
bypass modern antivirus and
threat detection systems. To fully explain how Process Doppelgänging works, it's necessary to step back and explore the basic concepts behind it. Process Doppelgänging aims to outsmart Windows built-in
security measures whilst simultaneously eluding antivirus detection.
In tech terms, Process Doppelgänging is a code cramming technique that capitalizes on built-in Windows process loader functionalities and uses a sophisticated operational syntax to execute
malicious code, which ostensibly appears to be benign. This evasion technique was first presented at the renowned Black Hat Cybersecurity conference in 2017 by security researchers Tal Liberman and Eugene Kogan from the
cyber security firm, EnSilo.
Typically, antivirus systems recognize and block threats using a
blacklisting method, where known
malicious files and activities are listed and promptly blocked if they are encountered. To stay under the radar, Process Doppelgänging employs a 'living off the land' strategy through the creative use of legitimate tools and processes to hide malicious activities.
Process Doppelgänging operates by uniquely exploiting the Microsoft Windows process loader's design applications. In brief, the critical steps of Process Doppelgänging are:
1. Transplantation: In this initial stage, a legitimate executable file is procured and then transpositioned with the malicious code.
2. Creations of Section Object: The NTFS transaction is created following the successful operation of the transaction. The main role of the NTFS or the New Technology File System, is to ensure that the transplantation of the code goes unnoticed by the operating system.
3. File Overwriting: The legitimate file is then overwritten using malicious code.
4. Rollback: Any alterations made to the legitimate file are quickly 'rolled back,'
Which serves to eliminate any noticeable changes that may activate security protocols.
5. Process Create: A seemingly benign process is created that serves as the necessary facade for the functioning of the malicious code.
Although these steps read straight forward, the actual operation is vastly more complex. This technique manipulates Windows' process loading mechanism, a rudimentary measure that Windows utilizes to create executables. With an appropriate understanding of this hierarchy, malware professionals may overwrite legitimate files with malicious counterparts stealthily, ensured by rollbacks.
What sets Process Doppelgänging apart is its virtually bulletproof nature; it leaves no traces for most security software to catch because modifications are made in transactional NTFS; a feature assigned a special role in handing file operations' reliability and
integrity in modern windows versions, thus effectively rendering the technique undetectable.
Process Doppelgänging, albeit still a rare and complex technique, represents a significant advancement in the existing suite of tactics employed by
cybercriminals. The immense computing power and technical know-how required demonstrate a marked evolution in malware techniques. Despite its technically demanding nature, if applied on a large scale, it could effectively neutralise traditional defensive postures creating a need for revised approaches in Security systems to counter these types of unprecedented sophisticated attacks.
While the misuse of NTFS transactions to commit harmful activities has been known to date, the combined application of it with aspects of using dual executable instances sets Process Doppelgänging apart. Not only does it raise several red flags and besiege the programmed tranquillity of Windows ecosystems, but the relatively undocumented nature of it ensures that anti-malware companies have significant work ahead to develop effective countermeasures.
As
cyber threats become increasingly complex and versatile, so must the cyber security protocols deployed to counter them. The original revelation, demonstration and analysis of Process Doppelgänging technique aids immensely in advancing our understanding of the labyrinthine dark landscape of
cyberthreats and will inevitably help build more resilient defences against potent threats to cybersecurity.
Process doppelganging FAQs
What is process doppelganging?
Process doppelganging is a relatively new technique used by cybercriminals to evade detection by antivirus software. It involves creating a duplicate of a legitimate process and injecting malicious code into it, making it look like a harmless process to antivirus software.How does process doppelganging work?
Process doppelganging works by exploiting a Windows operating system process called "transactional NTFS." This process allows a user to create a transaction in which they can modify files without affecting the rest of the system. Cybercriminals use this process to create a duplicate of a legitimate process, then inject malicious code into it. The malicious process is then run in the Windows system, appearing to be a legitimate process.What are the risks of process doppelganging?
The risks of process doppelganging are significant, as it can allow cybercriminals to bypass antivirus software and execute malicious code on a system undetected. This can result in data theft, system compromise, and other security breaches.How can I protect my system from process doppelganging attacks?
Protecting your system from process doppelganging attacks can be challenging, as many antivirus solutions do not yet have the ability to detect this technique. However, keeping your operating system and software up-to-date with the latest security patches and using a reputable antivirus solution can help reduce the risk of attack. Additionally, being cautious when downloading and opening files from unknown sources can help prevent malicious processes from being run on your system.