Security researchers have recently discovered that the Osiris banking trojan malware has now started using process doppelganging techniques to evade detection from monitoring applications.
According to a blog post by researchers at Malwarebytes, a dropper of the trojan creates a new process and injects the content inside. When reserachers looked into modules loaded in the process space of the injector, they saw an additional copy of NTDLL.
"When we examine closely what the functions are called from that additional NTDLL, we find more interesting details. It calls several APIs related to NTFS transactions. It was easy to guess that the technique of Process Doppelgänging, which relies on this mechanism, was applied here," said researchers.
They added that in order to make their injection more stealthy, the authors took the original implementation of Process Doppelgänging a step further and used only low-level APIs.
"So, instead of calling the convenient wrappers from Kernel32, for most of the functions they called their equivalents from NTDLL. Moreover, they used the aforementioned custom copy of this DLL," researchers said.
It appeared that malware authors created a new suspended process. This is the process into which the payload will be injected. Process Doppelgänging then starts from creating a new transaction, within which a new file is created. The original implementation used CreateTransaction and CreateFileTransacted from Kernel32 for this purpose.
Researchers said that a buffer would then be written containing the new PE file: the second stage payload. "Typically, for the Process Doppelgänging technique, the file is visible only within the transaction and cannot be opened by other processes, such as AV scanners," said researchers.
After this, the code of Osiris core is unpacked piece by piece and manually loaded along with its dependencies into a newly allocated memory area within the loader process. After this self-injection, the loader jumps into the payload’s entry point.
"The interesting thing is that the entry point of the application is different than the entry point saved in the header. So, if we dump the payload and try to run it interdependently, we will not get the same code executed. This is an interesting technique used to misguide researchers," said researchers.
They added that the implementation of Process Dopplegänging used in the first stage loader is "clean and professional".
"The author used a relatively new technique and made the best out of it by composing it with other known tricks. The precision used here reminds us of the code used in the original Kronos," said researchers.
"However, we can’t be sure if the first layer is written by the same author as the core bot. Malware distributors often use third-party crypters to pack their malware. The second stage is more tightly coupled with the payload, and here we can say with more confidence that this layer was prepared along with the core."