Jump to content

"Process Doppelgänging" Attack


pallino
 Share

Recommended Posts

22 hours ago, pallino said:

what do you think of the "Process Doppelgänging" Attack?

The kind of people making malware don't have the knowledge of the undocumented internal workings of Windows to be able to pull it off. At least not without someone making them a working example that they can repurpose (sort of like criminals repurposed the NSA's code for exploiting EternalBlue so that they could spread malware with it).

So far what I've seen is the presentation you linked to where there are some very basic code examples that analysts and researchers would understand, but not enough that someone could make a working example without know what they are doing and putting some real effort into it.

 

22 hours ago, pallino said:

Does Emsisoft's behavior blocker protect from this or, if not,  will it soon?

I'm not aware of any working code examples that we could actually test this with. Our Behavior Blocker does have support for detecting and blocking fileless malware, however for pretty much everyone but the team who discovered and documented it this really only exists in theory (and will almost certainly stay that way).

Link to comment
Share on other sites

More Infos should be available at 

https://blog.ensilo.com/webinar-process-doppelganging-blocked-by-ensilo

Arthur, I think you are right but also believe that expert malware writer,e.g. APT groups/Nation sponsored groups, will "soon" understand this attack and use it. 

I hope Emsi will be ready for this and that nobody will make malware writer's work easier by releasing a POC!

Can Emsi scan a file while it's in transaction?

Thank you

 

 

 

 

Link to comment
Share on other sites

2 hours ago, pallino said:

... also believe that expert malware writer,e.g. APT groups/Nation sponsored groups, will "soon" understand this attack and use it.

That depends on how feasible such an attack is. Even someone who knows what they are doing is going to stick to things that are easier to pull off, simply because it means they can do it faster.

 

2 hours ago, pallino said:

Can Emsi scan a file while it's in transaction?

I assume you mean while it's in the process of being downloaded? If so, the answer is "no". The scanner can't make a determination as to what the file is until it has the entire file to scan.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...