Researchers from Elastic.co have uncovered a new evasion technique which can be used by the malware to bypass the security products by tampering the image section of the PE file.
“With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF).” stated by the elastic.co researcher.
Process Ghosting is a technique wherein its possible to run the executable files that have been already deleted. This is possible since windows prevents mapped executable from modification or deletion restriction only comes into effect after the executable is mapped into an image section.
“Processes are launched from executables, but some of the data within the executable file is modified as it is mapped into a process. To account for these modifications, the Windows memory manager caches image sections at the time of their creation.” reads from the blog.
Researcher had provided the attack flow for Process Ghosting attack:-
- Create a file
- Put the file into a delete-pending state using NtSetInformationFile(FileDispositionInformation). Note: Attempting to use FILE_DELETE_ON_CLOSE instead will not delete the file.
- Write the payload executable to the file. The content isn’t persisted because the file is already delete-pending. The delete-pending state also blocks external file-open attempts.
- Create an image section for the file.
- Close the delete-pending handle, deleting the file.
- Create a process using the image section.
- Assign process arguments and environment variables.
- Create a thread to execute in the process.
Elastic team has responsibly reported this issue to Microsoft “We filed a bug report with MSRC on 2021-05-06, including a draft of this blog post, a demonstration video, and source code for a PoC. They responded on 2021-05-10 indicating that this does not meet their bar for servicing, per https://aka.ms/windowscriteria.” reads from the blog.
-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1