In addition to advancing hacking strategies, cybercriminals often try different tactics to evade security detections. In one such tactic discovered recently, security researchers from Elastic Security disclosed that a new image tampering attack, dubbed Process Ghosting, is being used by remote hackers to deploy malware stealthily on a targeted Windows system.
Researchers say Process Ghosting is a new kind of executable image altering technique with some similarities of endpoint methods like Doppelgänging and Herpaderping. Process Ghosting leverages veiled malicious codes to escape anti-malware defenses and detection.
“With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, Process Hollowing, or Transactional NTFS (TxF),” Elastic Security said. “A gap between when a process is created and when security products are notified of its creation, giving malware developers a window to tamper with the executable before security products can scan it.”
Process Ghosting Attack Flow
- Create a file.
- Put the file into a delete-pending state using NtSetInformationFile(FileDispositionInformation). Note: Attempting to use FILE_DELETE_ON_CLOSE instead will not delete the file.
- Write the payload executable to the file. The content isn’t persisted because the file is already delete-pending. The delete-pending state also blocks external file-open attempts.
- Create an image section for the file.
- Close the delete-pending handle, deleting the file.
- Create a process using the image section.
- Assign process arguments and environment variables.
- Create a thread to execute in the process.
In a proof-of-concept (PoC) demo video, the researchers detailed how Windows Defender initially tried to open the payload executable to scan it but kept failing because the file was in the delete-pending state. Later attempts to open it also failed because the file had already been deleted. The payload (ghost.exe) was executed without issue.
“We detected a variety of process image tampering techniques including Doppelgänging, Herpaderping, and Ghosting. It does this by checking the FILE_OBJECT for abnormalities during the process creation callback. These are reported in process creation events under process.Ext.defense_evasions,” Elastic Security added.