DoubleAgent Code-Injection Attack

Researchers have discovered a new Windows vulnerability which can allow an attacker full control of an affected system.

Threat ID:: CC-1291
Category:: Exploit
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 23 March 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Researchers have discovered a new Windows vulnerability which can allow an attacker full control of an affected system.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - all versions

Threat details

DoubleAgent is a new code-injection technique which works on all versions of Microsoft Windows operating systems from XP to 10. The DoubleAgent attack exploits a fifteen year old undocumented, legitimate feature of Windows called Application Verifier which cannot be patched.

Application Verifier is a tool that loads DLLs (Dynamic Link Library) into running processes for testing purposes, allowing developers to detect and fix programming errors. The vulnerability resides in the way Application Verifier handles DLLs.

DLLs are bound to a target process in a Windows Registry entry but an attacker is able to replace legitimate DLLs with a malicious DLL, achieving persistence on the system. Once a custom DLL has been injected, the attacker is able to take full control of the affected system and perform further malicious activities such as installing backdoors or persistent malware.

The majority of mainstream security applications are susceptible to the DoubleAgent attack which could be exploited to disable the security product, making it blind to malware and cyber-attacks.

Remediation steps

Type	Step
	All day to day computer activities such as checking email and browsing the web are performed using non- administrative accounts and that permissions are always assigned on the basis of least privilege. Ensure strong network perimeter defences are implemented. Monitor firewall and ICT asset logs for signs of suspicious activity and unauthorised access. Ensure that all ICT including: hardware/firmware, security products, operating systems, applications, browsers and plugins are in vendor support and kept up to date with the latest security updates. Your organisation adopts a holistic all round approach to Cyber Security as advocated by the 10 Steps To Cyber Security.

Type

Step

All day to day computer activities such as checking email and browsing the web are performed using non- administrative accounts and that permissions are always assigned on the basis of least privilege.
Ensure strong network perimeter defences are implemented.
Monitor firewall and ICT asset logs for signs of suspicious activity and unauthorised access.
Ensure that all ICT including: hardware/firmware, security products, operating systems, applications, browsers and plugins are in vendor support and kept up to date with the latest security updates.
Your organisation adopts a holistic all round approach to Cyber Security as advocated by the 10 Steps To Cyber Security.

Last edited: 17 February 2020 11:30 am