Jump to content


Recommended Posts



"In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it's in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind."

Everything looks OK to security products because the malicious process will look legitimate, and will be mapped correctly to an image file on disk, just like any legit process. There will be no "unmapped code," which is usually what security products look for.


Some more detail from Ensilo is needed. For starters, what is the file being overwritten? On Win 10, most system processes are pretty much locked down; even if running as a limited admin. On the other hand, there are system processes that can access files in the system directories. Defrag.exe is an example of one. And defrag is scheduled to run as hidden with highest privileges bypassing any UAC alerts.

It's a given fact that Windows syatem processes are increasingly being exploited by malware developers to carry out their attacks.  

Link to comment
Share on other sites

  • ESET Moderators

Hello guys,

thank you for sharing this research I posted our statement on this in the other thread https://forum.eset.com/topic/14038-process-doppelgänging-new-malware-evasion-technique/?do=findComment&comment=70032

Regards, P.R.


Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...