pallino

"Process Doppelgänging" Attack

Recommended Posts

22 hours ago, pallino said:

what do you think of the "Process Doppelgänging" Attack?

The kind of people making malware don't have the knowledge of the undocumented internal workings of Windows to be able to pull it off. At least not without someone making them a working example that they can repurpose (sort of like criminals repurposed the NSA's code for exploiting EternalBlue so that they could spread malware with it).

So far what I've seen is the presentation you linked to where there are some very basic code examples that analysts and researchers would understand, but not enough that someone could make a working example without know what they are doing and putting some real effort into it.

 

22 hours ago, pallino said:

Does Emsisoft's behavior blocker protect from this or, if not,  will it soon?

I'm not aware of any working code examples that we could actually test this with. Our Behavior Blocker does have support for detecting and blocking fileless malware, however for pretty much everyone but the team who discovered and documented it this really only exists in theory (and will almost certainly stay that way).

Share this post


Link to post
Share on other sites

More Infos should be available at 

https://blog.ensilo.com/webinar-process-doppelganging-blocked-by-ensilo

Arthur, I think you are right but also believe that expert malware writer,e.g. APT groups/Nation sponsored groups, will "soon" understand this attack and use it. 

I hope Emsi will be ready for this and that nobody will make malware writer's work easier by releasing a POC!

Can Emsi scan a file while it's in transaction?

Thank you

 

 

 

 

Share this post


Link to post
Share on other sites
2 hours ago, pallino said:

... also believe that expert malware writer,e.g. APT groups/Nation sponsored groups, will "soon" understand this attack and use it.

That depends on how feasible such an attack is. Even someone who knows what they are doing is going to stick to things that are easier to pull off, simply because it means they can do it faster.

 

2 hours ago, pallino said:

Can Emsi scan a file while it's in transaction?

I assume you mean while it's in the process of being downloaded? If so, the answer is "no". The scanner can't make a determination as to what the file is until it has the entire file to scan.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.