Table of Contents
Security researchers have discovered a new attack known as “Process Ghosting” that uses malicious code to tamper with an executable image and enable an attacker to execute malicious code on a Windows system stealthfully.
According to Elastic Security researcher Gabriel Landau, an attacker can use this technique to write malware to disks in a way that’s difficult to scan or delete – and then execute the deleted malware as though it were a regular file. There is no code injection, Process Hollowing, or Transactional NTFS (TxF) involved in this method.
As a result of Process Ghosting, existing endpoint bypass methods, such as Process Doppelganging and Process Herpaderping, may be cloaked, making it easier to execute malicious code that evades anti-malware protections.
Secret weapon malware uses
The concept of Process Doppelgänging, an analogy to Process Hollowing, is the injection of arbitrary code within an application’s live process which can then be executed from a trusted service. The Process Herpaderping protocol, outlined in detail last October, allows the modification of the executable on disk following the mapping of the image in memory to obscure the running process’s behavior.
In this case, malware developers exploit a lag between the time their executable is created and the time their products are alerted of its creation, giving them time to manipulate their executable before these products can detect it.
How does “Process Ghosting remain undetected
By enabling the execution of previously deleted executables, Process Ghosting goes beyond Doppelgänging and Herpaderping. In addition, it exploits the fact that Windows attempts to prevent modified executables from being deleted or modified only when the mapped binary is placed in a section of an image.
Windows Defender failed to open a malicious payload executable in a proof-of-concept (PoC) demo and then failed again when said file had already been deleted, allowing it to run unimpeded.
Microsoft recently acknowledged that Elastic Security raised the issue with Microsoft Security Response Center (MSRC) in May 2021, where the Windows maker said the issue did “not meet their bar for servicing,” echoing its response when Process Herpaderping was responsibly reported to MSRC in July 2020.
Microsft Mitigating the affect
On its part, Microsoft released an updated version of its Sysinternals Suite earlier this January that included a new System Monitor app (aka Sysmon) that was intended to detect attacks such as Process Hollowing and Herpaderping.
Consequently, Sysmon versions 13.00 (and later) can now automatically log “Event ID 25” whenever malware breaks legitimate processes. A process image is also changed when it emanates from a different process. The event for triggering it is triggered “when a mapped image of a process does not match an image on disk, or when a locked image file is used.”