Skip to main content

Process Doppelgänging

A new malware evasion technique has been discovered, called Process Doppelgänging, that exploits a built-in Windows New Technology File System (NTFS) transaction function, allowing malware to be bundled into a Windows system undetected.
Threat ID:
CC-1847
Category:
Exploit
Threat Severity:
Low
Threat Vector:
Published:
12 December 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A new malware evasion technique has been discovered, called Process Doppelgänging, that exploits a built-in Windows New Technology File System (NTFS) transaction function, allowing malware to be bundled into a Windows system undetected.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

  • Microsoft Windows - Windows Vista and later

Threat details

Doppelgänging utilises the NTFS transactions to make changes to an executable file, which is then executed but not committed to disk. This ensures the malware remains invisible to security products. The process loading mechanism is used to load the executable file that has been modified using NTFS transactions and then roll back the changes to the file. As such, this creates a process from the modified file, without triggering any security processes.

In a successful attack, any type of malware can be placed on the system. However, it should be noted that once malware is placed on the system, it is no longer hidden. The process is reported to work on all but two modern versions of Windows (Windows Vista onwards) as it exploits a key built-in function. Testing showed Process Doppelgänging goes undetected from most Antiviruses as well as more advanced forensic tools.

On Windows 10 Redstone and Fall Creators Update, due to a bug, the process leads to a crash in the system. While it cannot be used to install malware undetected on these systems, it could possibly be seen as a method to carry out a Denial of Service (DoS) attack.

Successful exploitation of Process Doppelgänging requires physical access to the target. It is susceptible to a remote code execution-styled attack.

As of publication, the below list show the Anti-Virus products and the Operating System they have been tested on:

  • Windows Defender (Windows 10)
  • AVG Internet Security (Windows 10)
  • Bitdefender (Windows 10)
  • ESET NOD 32 (Windows 10)
  • Qihoo 360 (Windows 10)
  • Symantec Endpoint Protection (Windows 7 SP1)
  • McAfee VSE 8.8 Patch (Windows 7 SP1)
  • Kaspersky Endpoint Security 10 (Windows 7 SP1)
  • Kaspersky Antivirus 18 (Windows 7 SP1)
  • Symantec End point Protection 14 (Windows 7 SP1)
  • Panda (Windows 8.1)
  • Avast (Windows 8.1)

Remediation steps

Type Step
  • Ensure that Anti-Virus and other security products are updated to the latest version.
  • Ensure that machines are secured and not able to be accessed by unauthorized parties.
  • Prevent remote code execution by implementing patches and updates issued by Microsoft.
  • Monitor the systems for any unexpected rollbacks
  • Preform Anti-Virus scans on a regular scheduled

Last edited: 17 February 2020 11:37 am