Home News Process Ghosting: A New Executable Image Tampering Technique in the Wild

Process Ghosting: A New Executable Image Tampering Technique in the Wild

Elastic Security researchers uncovered a new executable image tampering attack, dubbed Process Ghosting, which allows an attacker to stealthily deploy malicious code on a Windows system.

Malware and Vulnerability Trends Report, Mobile malware threats

In addition to advancing hacking strategies, cybercriminals often try different tactics to evade security detections. In one such tactic discovered recently, security researchers from Elastic Security disclosed that a new image tampering attack, dubbed Process Ghosting, is being used by remote hackers to deploy malware stealthily on a targeted Windows system.

Researchers say Process Ghosting is a new kind of executable image altering technique with some similarities of endpoint methods like Doppelgänging and Herpaderping. Process Ghosting leverages veiled malicious codes to escape anti-malware defenses and detection.

“With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, Process Hollowing, or Transactional NTFS (TxF),” Elastic Security said. “A gap between when a process is created and when security products are notified of its creation, giving malware developers a window to tamper with the executable before security products can scan it.”

Process Ghosting Attack Flow

  1. Create a file.
  2. Put the file into a delete-pending state using NtSetInformationFile(FileDispositionInformation). Note: Attempting to use FILE_DELETE_ON_CLOSE instead will not delete the file.
  3. Write the payload executable to the file. The content isn’t persisted because the file is already delete-pending. The delete-pending state also blocks external file-open attempts.
  4. Create an image section for the file.
  5. Close the delete-pending handle, deleting the file.
  6. Create a process using the image section.
  7. Assign process arguments and environment variables.
  8. Create a thread to execute in the process.

In a proof-of-concept (PoC) demo video, the researchers detailed how Windows Defender initially tried to open the payload executable to scan it but kept failing because the file was in the delete-pending state. Later attempts to open it also failed because the file had already been deleted. The payload (ghost.exe) was executed without issue.

“We detected a variety of process image tampering techniques including Doppelgänging, Herpaderping, and Ghosting. It does this by checking the FILE_OBJECT for abnormalities during the process creation callback. These are reported in process creation events under process.Ext.defense_evasions,” Elastic Security added.