The fileless code injection technique called Process Doppelgänging is actively being used by not just one or two but a large number of malware families in the wild, a new report shared with The Hacker News revealed.
Discovered in late 2017, Process Doppelgänging is a fileless variation of Process Injection technique that takes advantage of a built-in Windows function to evade detection and works on all modern versions of Microsoft Windows operating system.
Process Doppelgänging attack works by utilising a Windows feature called Transactional NTFS (TxF) to launch a malicious process by replacing the memory of a legitimate process, tricking process monitoring tools and antivirus into believing that the legitimate process is running.
Few months after the disclosure of this technique, a variant of the SynAck ransomware became the first-ever malware exploiting the Process Doppelgänging technique, targeting users in the United States, Kuwait, Germany, and Iran.
Shortly after that, researchers discovered a dropper (loader) for the Osiris banking trojan that was also using this technique in combination with a previously discovered similar malware evasion technique called Process Hollowing.
Now, turns out that it was not just SynAck or Osiris, but more than 20 different malware families—including FormBook, LokiBot, SmokeLoader, AZORult, NetWire, njRat, Pony stealer, and GandCrab ransomware—have been using malware loaders that leverage this hybrid implementation of Process Doppelgänging attack to evade detection.
images from Hacker News