Cyber Attacks 101: Process Doppelgänger, The Not-So-Friendly Ghost

Defending cyber attacks requires understanding the people and groups that carry them out – the more we know about who they are, how they operate, and what they’re capable of, the more equipped we will be to thwart them in their tracks.


Cyber criminals see it the same way – they’re always seeking intelligence about what we know about them, paying attention to our public collaborative efforts, and using the cyber security industry’s collective knowledge base as a starting point for their attack strategy.


We just saw this happen with the SynAck ransomware attack.


Understanding Process Doppelganging:


At Blackhat 2017, security researchers presented a novel new tool for cyber attacks to evade detection: process doppelganging. They found that malicious attackers were able to completely deceive anti-malware software by injecting their malware code into a legitimate system process, pretending to be a normal, innocuous part of the system as a way to avoid any anti-malware defenses.


The infected machine now has a “doppelganger” in its system – a process that looks completely legitimate but evades detection until the malware decide to strike.


SynAck Ransomware strikes:


It turns out that cyber criminals were, in fact, paying attention to the Black Hat presentation. Several researchers from Kaspersky published some analyses earlier this month, showing a sample of a new variant of the SynAck ransomware that uses process doppelganging to evade cyber security defenses.


The SynAck ransomware has been in the wild for several months before  the Black Hat presentation, and this new variant has the same result for the victim: files get encrypted unless the victim pays $3,000. But with process doppelganging, the variant is much harder to detect.


Enter SandBlast:


It’s easy to protect against known attacks.


But when SynAck appeared in the wild, it represented a new exploitation technique that, at the time, was highly evasive.


Check Point’s SandBlast Agent was able to serve as a last layer of defense via behavioral analysis, protecting users against unknown, highly evasive threats such as SynAck.


By monitoring all system behavior, SandBlast can build a forensic tree and decipher between legitimate processes. SandBlast zeroes in on the evasive behaviors as they’re happening, acting quickly to stop SynAck (and similarly sneaky attacks) right in their tracks.


Ensuring protection under all circumstances – known and unknown threats – demands this type of approach.


Main Takeaways:


In this fifth generation of cyber attacks, we’ll see plenty more advanced tools and exploits – from leaked state-sponsored tools powering attacks like WannaCry to threat actors listening closely to security conferences for inspiration, cyber attackers are innovating their techniques in a battle of wits with the security industry.


As SandBlast Agent slices through evasive maneuvers (like process doppelganging), Check Point Infinity serves the necessary role of preventing threats before they happen. A multi-layered cybersecurity strategy designed to handle the full array of cyber attacks needs last-layer-of-defense like SandBlast and an advanced, unified threat prevention system like Check Point Infinity.


Understanding cyber attacks is the first step toward stopping them. Stay updated on the latest happenings in the cyber threat landscape by checking out our research blog and following us on Twitter, Facebook, and LinkedIn.