Security researchers discovered a new malicious technique that helps malware achieve evasion on an infected system. Called Process Ghosting, the technique could be exploited by a threat actor to bypass security protections and run malicious code on a Windows system.
Detailed by Elastic Security researcher Gabriel Landau, the technique is an image tampering attack, which is somewhat similar to previous attacks called Doppelgänging and Herpaderping.
“With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF),” Landau said.
Process Ghosting Explained
As already mentioned, Process Ghosting is related to previous endpoint bypass methods called Doppelgänging and Herpaderping. Both previous methods involve the injection of malicious code in the address space of a legitimate app’s live process. The code could then be executed from the trusted app.
Process Herpaderping, in particular, is related to a method that obscures the behavior of a running process by modifying the executable on disk after the image has been mapped in memory. This is possible due to a gap between the time the process is created and the time a security product is notified of its creation. This gives malware authors a time window to tamper with the executable before it is scanned by the security program.
“We can build upon Doppelgänging and Herpaderping to run executables that have already been deleted,” Landau explained. Process Ghosting uses the fact that the Windows OS attempts to prevent mapped executables from being modified or deleted only after the binary is mapped into an image section.
“This means that it is possible to create a file, mark it for deletion, map it to an image section, close the file handle to complete the deletion, then create a process from the now-fileless section,” the researcher added. This is at the heart of Process Ghosting.
These are the steps that Process Ghosting requires for its execution:
- Create a file
- Put the file into a delete-pending state using NtSetInformationFile(FileDispositionInformation).
- Note: Attempting to use FILE_DELETE_ON_CLOSE instead will not delete the file.
- Write the payload executable to the file. The content isn’t persisted because the file is already delete-pending. The delete-pending state also blocks external file-open attempts.
Create an image section for the file.
- Close the delete-pending handle, deleting the file.
- Create a process using the image section.
- Assign process arguments and environment variables.
- Create a thread to execute in the process.
Elastic Search also provided a proof-of-concept demo which details a scenario of Windows Defender attempting to open a malicious payload executable. The program fails to scan it because the file is in a delete-pending state. Then it fails again as the file is already deleted. This allows it to be executed unhampered.
The technique has been reported to Microsoft Security Response Center in May 2021. However, the Windows maker said the issue doesn’t meet their bar for servicing. It is noteworthy that the Process Herpaderping technique got a similar response when it was disclosed in July last year.
Other Evasion Techniques Malware Authors Use
In December 2020, security researchers reported that a new malicious service is enabling cybercriminals to improve their detection evasion mechanisms. Called obfuscation-as-a-service, the service shows how “robust the cybercriminal economy is,” as pointed out by DarkReading contributing author Ericka Chickowski.
The obfuscation-as-a-service platform was demonstrated during the Botconf 2020 virtual conference. Hackers succeeded in developing a fully automated service platform that protects mobile malware Android Packet Kits (APKs) from AV detection. The service is available as a one-off payment or a recurring monthly subscription. It is translated into English and Russian, and has been open for at least six months this year, or maybe longer.
In May 2019, Akamai described the so-called cipher stunting evasion technique, based on SSL/TLS signature randomization. Shortly said, cybercriminals are randomizing SSL/TLS signatures in their attempt to evade detection.