The objective of anyone creating malware would be to hide it from the best of antivirus firmware. Also, the hacking community and the criminal elements who offer them technical support continue to come up with newer ways to break into computer networks and systems to cause havoc.
The detection of the banking Trojan Osiris using a customized version of a technique called Process Doppelgänging has surprised many cybersecurity experts to a large extent.
It is not just Process Doppelgänging, but it is deployed in combination with Process Hallowing, another hacking technique.
Using NTDLL to Inject the Dropper
Microsoft’s NTDLL file is considered to be vulnerable by many, though the latest updates can take care of the weakness.
The hackers still make use of this file to load additional NTDLL files and hide the Process Doppelgänging technique that is in reality deployed to inject the Osiris dropper.
This is the very reason they succeed in this technique and manage to evade the best of antivirus programs out there. And here’s where the ingenuity of the malware authors has been noticed.
In the normal course, it is not feasible to load additional NTDLL files, since that is how the API is programmed by Microsoft.
But these hackers have overcome this by loading the malicious file as a section or a part of the original NTDLL files.
For this, certain specific commands have been injected; these are as follows:
- NtCreateFile – to open the file
- NtCreateSection – to carve out a section out of it
- ZwMapViewOfSection – to map this section into the process address space
This technique helps hackers evade the security firmware present in the system.
The Merger of Two Processes and Osiris Dropper
As mentioned, the new Osiris dropper has been made with a clever merger of two processes—Process Doppelgänging and Process Hallowing.
At first look, the curious observer might think that the technique is just Process Doppelgänging only. It is only on spending a little more time closely examining the technique that one will realize that some changes have been brought about and the signs of Process Hallowing start come through.
If you are familiar with Process Doppelgänging, the NTFS Transaction route is adopted with the payload and the malicious file is injected and then processed by the attacker.
On the other hand, in Process Hallowing, a kind of impersonation takes place and the payload injected is treated by the security protocol as a legitimate file and allowed to process; though in reality, it is a malicious file.
Now in the merged Osiris dropper, the NTFS Transaction of Process Doppelgänging and the impersonation of Process Hallowing have been in a way combined to precipitate the attack.
There is partial presence of elements or features of both the processes, in terms of the section within the NTDLL files and the process as described above which looks legitimate to the AV monitoring tool.
The deception is complete with some thinking that it is Process Hallowing and others believing it looks more like Process Doppelgänging.
The reality is that it is neither, but very effective at what it was intended to do by those behind writing the codes.
In a descriptive blog post, the Malwarebytes Labs research team that worked on unravelling these mysterious ways of mounting malware attacks noted the creativity of the authors of the new Osiris dropper program. Being a bank Trojan, it can penetrate large banking organizations and execute commands that could result in huge losses for the organization attacked.
The Payload Is Injected in Stages
Cybersecurity researchers claim that the way this technique has been developed and deployed shows that the attacker deliberately did it to deflect the attention of someone looking at the activities closely.
Some connect it to the previous avatar of Process Doppelgänging, which was known as the Kronos banking Trojan.
And the two-stage injection of the payload definitely baffles even the experts in this field. There appears to be a certain precision or perfection about this new tool used by the hackers.
Have an Expert Take a Look at Your System
If you suspect your computers have any chance of being subjected to the attacks as described here, you must call in a cybersecurity expert to come and take a close look at your systems and perform a thorough check to see if any form of malware may have sneaked in using such rare but very risky techniques.
This race is never-ending and the cat and mouse game between those who develop malicious files that could be injected into vulnerable networks and the ones involved in protecting those very systems.
The real trouble exists elsewhere, at the end of the millions of users who go about their work on computer terminals, oblivious of the fact that they could have left doors open inadvertently and could be victims of attacks.
The cybersecurity industry is ceaselessly engaged in developing the remedies to such malware floating around and the new ones that keep coming out.
They are trying to educate the key personnel in large organizations on the potential risks the malware programs carry and appeal to them to keep their ears and eyes open and their computers totally secured.
It is a very difficult job to keep pace with the criminals or to anticipate what they would be up to next. Some minimum steps are taken to protect the computers from malware attacks.
But they may not be adequate; the moment you link your system to a network, whether inside an organization or through the internet to a much larger network, the vulnerability starts.
And unless you have a strong firewall erected and it is fully updated, it will be almost impossible to keep these mischief mongers at bay.
The expenses incurred in investing in the best anti-malware programs will be a fraction of the losses inflicted through an undesirable cyberattack.
Guard yourself from any such eventuality and stay well protected with antivirus software.