‘Doppelgänging’ attack hides malware from security tools


Endpoint protection company enSilo has used this week’s Black Hat Europe conference in London to reveal how Microsoft Windows features can be used to slip malicious ransomware and other threats past most updated, market-leading AV products.

enSilo researchers demonstrated how, by manipulating how Windows handles file transactions, they could pass off malicious actions as benign, legitimate processes, even if they use known malicious code.

In addition to blinding Windows’ embedded defense mechanisms and third-party AV and next generation AV security products to incoming threats, Process Doppelgänging gives attackers the further advantage of leaving no traceable evidence behind — making this type of intrusion extremely difficult to detect after the fact even with the latest forensic techniques.

“The ‘Process Doppelgänging’ attack method we discovered leverages several complex mechanisms in Windows operating systems and intimate knowledge of the inner-workings of AVs’ file scanning engines. Putting all this together allows masquerading a malicious executable as legitimate, bypassing all tested security products,” says enSilo researcher Tal Liberman.

“This is another example of how a few subtle manipulations of code, based on deep insight into the operating system internals, are all that is required to upend many layered detection and traditional prevention defenses,” fellow researcher Eugene Kogan adds. “Our research shows that even the latest protections can be negated by an attacker’s creative bid to skip a malicious file payload altogether and infiltrate dangerous content through Windows’ intricacies.”

A full copy of the research is available from the enSilo website where you can also register for a free webinar that will look at the threat and how to defend against it.