Doppelgänger is a German derived word for an apparition or double of a living person. Doppelgänging is a complex form of typosquatting. Process Doppelgänging is a code injection technique that disrupts the Microsoft Windows mechanism of New Technology File System (NTFS) transactions which create and hide malicious IT processes. This all in an attempt to avoid detection by antivirus software.[1] Process Doppelgänging is a technique similar to the old Process Hollowing.[2] [3]
The Process Doppelgänging technique was first discovered in December of 2017 through a cyber security conference. Currently several malware strains have adopted the Process Doppelgänging as a process to enter victim computers. The first ransomware using Process Doppelgänging was SynAck, which was discovered late last summer and currently once again rearing its ugly head.
Process Doppelgänging is a well-crafted malware strain that employs a high-level encryption routine to evade detection. Additionally, Process Doppelgänging is heavily obscured to prevent reverse engineering. Since this technique is an advanced form of typosquatting, this complex process makes it dangerous to Windows users.
There is no current Microsoft patch for Process Doppelgänging.
Mitigation and Recommendations:
There are no active patches to guard against a Process Doppelgänging attack. The follow list are cyber precautions which can be employed:
- Ensure your operating system (OS) and all anti-security programs are fully patched and definitions are updated.
- Never open any attachments you are not expecting or that have been sent by people you do not know or trust. Only browse to trusted websites.
- Ensure you always have a data backup plan. Portable hard drives are inexpensive when compared to the loss of sensitive data.
- Utilize a re-boot to restore program (if attacked, a simple reboot will return your computer its initial configuration).
- If hit with a ransom note, you can investigate using a ransomware checker like: https://id-ransomware.malwarehunterteam.com/
If you are interested in more information on this subject, please contact us at feedback@wapacklabs.com
[1] https://www.bleepingcomputer.com/news/security/synack-ransomware-uses-process-doppelg-nging-technique/
[2] https://thehackernews.com/2017/12/malware-process-doppelganging.html
[3] Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to Process Injection, execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis.
Comments