{"id":13061,"date":"2018-08-09T12:10:03","date_gmt":"2018-08-09T20:10:03","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2018\/08\/09\/news-6828\/"},"modified":"2018-08-09T12:10:03","modified_gmt":"2018-08-09T20:10:03","slug":"news-6828","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/08\/09\/news-6828\/","title":{"rendered":"Osiris dropper found using process doppelg\u00e4nging"},"content":{"rendered":"<p><strong>Credit to Author: hasherezade| Date: Thu, 09 Aug 2018 18:52:57 +0000<\/strong><\/p>\n<p><a href=\"https:\/\/hshrzd.wordpress.com\/2017\/12\/18\/process-doppelganging-a-new-way-to-impersonate-a-process\/\" target=\"_blank\" rel=\"noopener\">Process Doppelg\u00e4nging<\/a>, a new technique of impersonating a process, was published last year at <a href=\"https:\/\/www.youtube.com\/watch?v=Cch8dvp836w\" data-rel=\"lightbox-video-0\" target=\"_blank\" rel=\"noopener\">Black Hat conference<\/a>. After some time, a ransomware named\u00a0<a href=\"https:\/\/securelist.com\/synack-targeted-ransomware-uses-the-doppelganging-technique\/85431\/\" target=\"_blank\" rel=\"noopener\">SynAck was discovered<\/a>\u00a0that adopted it for malicious purposes. However, this technique is still pretty rare in wild. So, it was an interesting surprise to notice it in a dropper of the Osiris banking Trojan (a new version of the infamous Kronos).<\/p>\n<p>The authors of this dropper were skilled, and they added several other tricks to spice the whole thing up. In this post, we will have a closer look at the loader&#8217;s implementation.<\/p>\n<h3>Analyzed sample<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/#\/file\/e7d3181ef643d77bb33fe328d1ea58f512b4f27c8e6ed71935a2e7548f2facc0\/details\" target=\"_blank\" rel=\"noopener\">5e6764534b3a1e4d3abacc4810b6985d<\/a> &#8211; original sample (stage 1)\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/#\/file\/40288538ec1b749734cb58f95649bd37509281270225a87597925f606c013f3a\/details\" target=\"_blank\" rel=\"noopener\">8d58c731f61afe74e9f450cc1c7987be<\/a> &#8211; stage 2\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/#\/file\/d98a9c5b4b655c6d888ab4cf82db276d9132b09934a58491c642edf1662e831e\/details\" target=\"_blank\" rel=\"noopener\">e8c39091cce419adee23153f30cefa5a<\/a>\u00a0&#8211; Osiris core bot<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Osiris is loaded in three steps:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25065\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/steps-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/steps.png\" data-orig-size=\"501,89\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"steps\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/steps-300x53.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/steps.png\" class=\"alignnone size-full wp-image-25065\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/steps.png\" alt=\"\" width=\"501\" height=\"89\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/steps.png 501w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/steps-300x53.png 300w\" sizes=\"auto, (max-width: 501px) 100vw, 501px\" \/><\/p>\n<h3>Overview<\/h3>\n<p>The dropper creates a new process and injects the content inside:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25018\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/osiris_inject\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/osiris_inject.png\" data-orig-size=\"489,39\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"osiris_inject\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/osiris_inject-300x24.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/osiris_inject.png\" class=\"alignnone size-full wp-image-25018\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/osiris_inject.png\" alt=\"\" width=\"489\" height=\"39\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/osiris_inject.png 489w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/osiris_inject-300x24.png 300w\" sizes=\"auto, (max-width: 489px) 100vw, 489px\" \/><\/p>\n<p>Interestingly, when we look into the modules loaded in the process space of the injector, we can see an additional copy of NTDLL:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25054\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/added_ntdll-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/added_ntdll-1.png\" data-orig-size=\"612,207\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"added_ntdll\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/added_ntdll-1-300x101.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/added_ntdll-1-600x203.png\" class=\"alignnone size-full wp-image-25054\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/added_ntdll-1.png\" alt=\"\" width=\"612\" height=\"207\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/added_ntdll-1.png 612w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/added_ntdll-1-300x101.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/added_ntdll-1-600x203.png 600w\" sizes=\"auto, (max-width: 612px) 100vw, 612px\" \/><\/p>\n<p>This is a well-known technique that some malware authors use in order to evade monitoring applications and hide the API calls that they used.<\/p>\n<p>When we examine closely what the functions are called from that additional NTDLL, we find more interesting details. It calls several APIs related to NTFS transactions. It was easy to guess that the technique of Process Doppelg\u00e4nging, which relies on this mechanism, was applied here.<\/p>\n<h3>Loading additional NTDLL<\/h3>\n<p>NTDLL is a special, low-level DLL. Basically, it is just a wrapper around <a href=\"https:\/\/en.wikipedia.org\/wiki\/System_call\" target=\"_blank\" rel=\"noopener\">syscalls<\/a>. It does not have any dependencies from other DLLs in the system. Thanks to this, it can be loaded conveniently, without the need to fill its import table.<\/p>\n<p>Other system DLLs, such as Kernel32, rely heavily on functions exported from NTDLL. This is why many user-land monitoring tools hook and intercept the functions exported by NTDLL: to watch what functions are being called and check if the process does not display any suspicious activity.<\/p>\n<p>Of course malware authors know about this, so sometimes, in order to fool this mechanism, they load their own, fresh and unhooked copy of NTDLL from the disk. There are several ways to implement this. Let&#8217;s have a look how the authors of the Osiris dropper did it.<\/p>\n<p>Looking at the memory mapping, we see that the NTDLL is loaded as an image, just like other DLLs. However, it was not loaded by a typical <code>LoadLibrary<\/code> function, nor even by its low-level version from NTDLL, <code>LdrLoadDll<\/code>. Instead, the authors decided to load the file as a section, using following functions:<\/p>\n<ul>\n<li><code>ntdll.NtCreateFile<\/code> &#8211; to open the ntdll.dll file<\/li>\n<li><code>ntdll.NtCreateSection<\/code> &#8211; to create a section out of this file<\/li>\n<li><code>ntdll.ZwMapViewOfSection<\/code> &#8211; to map this section into the process address space<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25055\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/create_and_map\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_and_map.png\" data-orig-size=\"480,196\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"create_and_map\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_and_map-300x123.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_and_map.png\" class=\"alignnone size-full wp-image-25055\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_and_map.png\" alt=\"\" width=\"480\" height=\"196\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_and_map.png 480w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_and_map-300x123.png 300w\" sizes=\"auto, (max-width: 480px) 100vw, 480px\" \/><\/p>\n<p>This was smart move because the DLL looks like it was loaded in a typical way, and yet, if we monitor the <code>LdrLoadDll<\/code> function, we see nothing suspicious.<\/p>\n<h3>Implementation of Process Doppelg\u00e4nging<\/h3>\n<p>In order to make their injection more stealthy, the authors took the original implementation of Process Doppelg\u00e4nging a step further and used only low-level APIs. So, instead of calling the convenient wrappers from Kernel32, for most of the functions they called their equivalents from NTDLL. Moreover, they used the aforementioned custom copy of this DLL.<\/p>\n<p>First, they created a new suspended process. This is the process into which the payload will be injected. In this particular case, the function was called from kernel32.dll: <code>CreateProcessInternal<\/code>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25056\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/create_process_internal\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_process_internal.png\" data-orig-size=\"547,206\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"create_process_internal\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_process_internal-300x113.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_process_internal.png\" class=\"alignnone size-full wp-image-25056\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_process_internal.png\" alt=\"\" width=\"547\" height=\"206\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_process_internal.png 547w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_process_internal-300x113.png 300w\" sizes=\"auto, (max-width: 547px) 100vw, 547px\" \/><\/p>\n<p>Process Doppelg\u00e4nging then starts from creating a new transaction, within which a new file is created. The original implementation used <span class=\"pl-c1\"><code>CreateTransaction<\/code> and <code>CreateFileTransacted<\/code> from Kernel32 for this purpose. But this is not the case here.<br \/> <\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25021\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/set_current_transaction\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/set_current_transaction.png\" data-orig-size=\"692,97\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"set_current_transaction\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/set_current_transaction-300x42.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/set_current_transaction-600x84.png\" class=\"alignnone size-full wp-image-25021\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/set_current_transaction.png\" alt=\"\" width=\"692\" height=\"97\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/set_current_transaction.png 692w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/set_current_transaction-300x42.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/set_current_transaction-600x84.png 600w\" sizes=\"auto, (max-width: 692px) 100vw, 692px\" \/><\/p>\n<p><span class=\"pl-c1\">First, a function <code>ZwCreateTransaction<\/code> from a NTDLL is called.<\/span> Then, instead of <code>CreateFileTransacted<\/code>, the authors <a href=\"http:\/\/microsoft.public.win32.programmer.kernel.narkive.com\/MH2k9XfA\/ntfs-transaction-using-native-functions-in-user-mode\" target=\"_blank\" rel=\"noopener\">open the transacted file<\/a> by <code>RtlSetCurrentTransaction<\/code> along with <code>ZwCreateFile<\/code> (the created file is %TEMP%\\Liebert.bmp). Then, the dropper writes the content of the new executable to the file\u2014the second stage of the malware. Analogically, <code>RtlSetCurrentTransaction<\/code> with <code>ZwWriteFile<\/code> is used.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25057\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/write_file-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/write_file-1.png\" data-orig-size=\"495,296\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"write_file\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/write_file-1-300x179.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/write_file-1.png\" class=\"alignnone size-full wp-image-25057\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/write_file-1.png\" alt=\"\" width=\"495\" height=\"296\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/write_file-1.png 495w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/write_file-1-300x179.png 300w\" sizes=\"auto, (max-width: 495px) 100vw, 495px\" \/><\/p>\n<p>We can see that the buffer that is being written contains the new PE file: the second stage payload. Typically, for the Process Doppelg\u00e4nging technique, the file is visible only within the transaction and cannot be opened by other processes, such as AV scanners.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25022\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/create_section\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_section.png\" data-orig-size=\"637,114\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"create_section\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_section-300x54.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_section-600x107.png\" class=\"alignnone size-full wp-image-25022\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_section.png\" alt=\"\" width=\"637\" height=\"114\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_section.png 637w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_section-300x54.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_section-600x107.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/create_section-630x114.png 630w\" sizes=\"auto, (max-width: 637px) 100vw, 637px\" \/><\/p>\n<p>After the file inside the transaction is created, it will be used to create a buffer in special format, called a section. The function that can do it is available only via low-level API: ZwCreateSection\/NtCreateSection.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25024\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/rollback_transaction\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/rollback_transaction.png\" data-orig-size=\"606,121\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"rollback_transaction\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/rollback_transaction-300x60.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/rollback_transaction-600x120.png\" class=\"alignnone size-full wp-image-25024\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/rollback_transaction.png\" alt=\"\" width=\"606\" height=\"121\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/rollback_transaction.png 606w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/rollback_transaction-300x60.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/rollback_transaction-600x120.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/rollback_transaction-604x121.png 604w\" sizes=\"auto, (max-width: 606px) 100vw, 606px\" \/><\/p>\n<p>After the section is created, the file that was created is no longer needed. The transaction gets rolled back (by <code>ZwRollbackTransaction<\/code>), and the changes to the file are never saved on the disk.<\/p>\n<p>Further, the created section will be used to load a PE file. After writing the payload into memory and setting the necessary patches, such as Entry Point redirection, the process is resumed:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25027\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/resume_proc\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/resume_proc.png\" data-orig-size=\"606,129\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"resume_proc\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/resume_proc-300x64.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/resume_proc-600x128.png\" class=\"alignnone size-full wp-image-25027\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/resume_proc.png\" alt=\"\" width=\"606\" height=\"129\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/resume_proc.png 606w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/resume_proc-300x64.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/resume_proc-600x128.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/resume_proc-604x129.png 604w\" sizes=\"auto, (max-width: 606px) 100vw, 606px\" \/><\/p>\n<h3>Second stage loader<\/h3>\n<p>The next layer (<a href=\"https:\/\/www.virustotal.com\/#\/file\/40288538ec1b749734cb58f95649bd37509281270225a87597925f606c013f3a\/details\" target=\"_blank\" rel=\"noopener\">8d58c731f61afe74e9f450cc1c7987be<\/a>) is not the core yet, but the next stage of the loader. The way it loads the final payload is much simpler, yet still not trivial. The code of Osiris core is unpacked piece by piece and manually loaded along with its dependencies into a newly allocated memory area within the loader process.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25060\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/final_payload\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/final_payload.png\" data-orig-size=\"693,215\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"final_payload\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/final_payload-300x93.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/final_payload-600x186.png\" class=\"alignnone size-full wp-image-25060\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/final_payload.png\" alt=\"\" width=\"693\" height=\"215\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/final_payload.png 693w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/final_payload-300x93.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/final_payload-600x186.png 600w\" sizes=\"auto, (max-width: 693px) 100vw, 693px\" \/><\/p>\n<p>After this self-injection, the loader jumps into the payload&#8217;s entry point:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25028\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/payload_entry_point\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/payload_entry_point.png\" data-orig-size=\"570,225\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"payload_entry_point\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/payload_entry_point-300x118.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/payload_entry_point.png\" class=\"alignnone size-full wp-image-25028\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/payload_entry_point.png\" alt=\"\" width=\"570\" height=\"225\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/payload_entry_point.png 570w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/payload_entry_point-300x118.png 300w\" sizes=\"auto, (max-width: 570px) 100vw, 570px\" \/><\/p>\n<p>The interesting thing is that the entry point of the application is different than the entry point saved in the header. So, if we dump the payload and try to run it interdependently, we will not get the same code executed. This is an interesting technique used to misguide researchers.<\/p>\n<p>This is the entry point that was set in the headers is at RVA 0x26840:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25059\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/original_ep-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/original_ep.png\" data-orig-size=\"467,97\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"original_ep\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/original_ep-300x62.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/original_ep.png\" class=\"alignnone size-full wp-image-25059\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/original_ep.png\" alt=\"\" width=\"467\" height=\"97\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/original_ep.png 467w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/original_ep-300x62.png 300w\" sizes=\"auto, (max-width: 467px) 100vw, 467px\" \/><\/p>\n<p>The call leads to a function that makes the application go in an infinite sleep loop:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25058\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/fake_ep\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/fake_ep.png\" data-orig-size=\"658,473\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"fake_ep\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/fake_ep-300x216.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/fake_ep-600x431.png\" class=\"alignnone size-full wp-image-25058\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/fake_ep.png\" alt=\"\" width=\"658\" height=\"473\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/fake_ep.png 658w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/fake_ep-300x216.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/fake_ep-600x431.png 600w\" sizes=\"auto, (max-width: 658px) 100vw, 658px\" \/><\/p>\n<p>The real entry point, from which the execution of the malware should start, is at 0x25386, and it is known only to the loader.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25064\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/osiris_ep_code\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/osiris_ep_code.png\" data-orig-size=\"754,171\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"osiris_ep_code\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/osiris_ep_code-300x68.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/osiris_ep_code-600x136.png\" class=\"alignnone size-full wp-image-25064\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/osiris_ep_code.png\" alt=\"\" width=\"754\" height=\"171\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/osiris_ep_code.png 754w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/osiris_ep_code-300x68.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/osiris_ep_code-600x136.png 600w\" sizes=\"auto, (max-width: 754px) 100vw, 754px\" \/><\/p>\n<h4>Comparison with Kronos loader<\/h4>\n<p>A similar trick using a hidden entry point was used by the original Kronos (<a href=\"https:\/\/www.hybrid-analysis.com\/sample\/8389dd850c991127f3b3402dce4201cb693ec0fb7b1e7663fcfa24ef30039851?environmentId=100\" target=\"_blank\" rel=\"noopener\">2a550956263a22991c34f076f3160b49<\/a>).<\/p>\n<p>In the case of Kronos, the final payload is injected into svchost. The execution is redirected to the core by patching the entry point in the svchost:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25061\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/svchost_patch\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/svchost_patch.png\" data-orig-size=\"478,62\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"svchost_patch\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/svchost_patch-300x39.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/svchost_patch.png\" class=\"alignnone size-full wp-image-25061\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/svchost_patch.png\" alt=\"\" width=\"478\" height=\"62\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/svchost_patch.png 478w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/svchost_patch-300x39.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/svchost_patch-470x62.png 470w\" sizes=\"auto, (max-width: 478px) 100vw, 478px\" \/><\/p>\n<p>In this case, the entry point within the payload is at RVA 0x13B90, while the entry point saved in the payload&#8217;s\u00a0header (<a href=\"https:\/\/www.virustotal.com\/#\/file\/258d67283afa5195436b1eaa8d02953785974d3709109ebff3b9b638332df514\/details\" target=\"_blank\" rel=\"noopener\">d8425578fc2d84513f1f22d3d518e3c3<\/a>) is at 0x15002.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25062\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/kronos_ep\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/kronos_ep.png\" data-orig-size=\"431,152\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"kronos_ep\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/kronos_ep-300x106.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/kronos_ep.png\" class=\"alignnone size-full wp-image-25062\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/kronos_ep.png\" alt=\"\" width=\"431\" height=\"152\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/kronos_ep.png 431w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/kronos_ep-300x106.png 300w\" sizes=\"auto, (max-width: 431px) 100vw, 431px\" \/><\/p>\n<p>The code at the real Kronos entry point displays similarities with the analogical point in Osiris. Yet, we can see they are not identical:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"25063\" data-permalink=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/attachment\/kronos_ep_code\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/kronos_ep_code.png\" data-orig-size=\"750,150\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"kronos_ep_code\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/kronos_ep_code-300x60.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/kronos_ep_code-600x120.png\" class=\"alignnone size-full wp-image-25063\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/kronos_ep_code.png\" alt=\"\" width=\"750\" height=\"150\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/kronos_ep_code.png 750w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/kronos_ep_code-300x60.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/kronos_ep_code-600x120.png 600w\" sizes=\"auto, (max-width: 750px) 100vw, 750px\" \/><\/p>\n<h3>Conclusion<\/h3>\n<p>The implementation of Process Doppleg\u00e4nging used in the first stage loader is clean and professional. The author used a relatively new technique and made the best out of it by composing it with other known tricks. The precision used here reminds us of the code used in the original Kronos. However, we can&#8217;t be sure if the first layer is written by the same author as the core bot. Malware distributors often use <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2015\/12\/malware-crypters-the-deceptive-first-layer\/\" rel=\"noopener\" target=\"_blank\">third-party crypters<\/a> to pack their malware. The second stage is more tightly coupled with the payload, and here we can say with more confidence that this layer was prepared along with the core.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/\">Osiris dropper found using process doppelg\u00e4nging<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: hasherezade| Date: Thu, 09 Aug 2018 18:52:57 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/' title='Osiris dropper found using process doppelg\u00e4nging'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/shutterstock_1929537.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>Process doppleganging, a rare technique of impersonating a process, was discovered last year, but hasn&#8217;t been seen much in the wild since. It was an interesting surprise, then, to discover its use in a dropper of the Osiris banking Trojan. We unpack the code to show how malware authors used this process.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/malwarebytes-news\/\" rel=\"category tag\">Malwarebytes news<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/dropper\/\" rel=\"tag\">dropper<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/kronos\/\" rel=\"tag\">kronos<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/osiris\/\" rel=\"tag\">osiris<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/osiris-dropper\/\" rel=\"tag\">Osiris dropper<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/process-doppleganging\/\" rel=\"tag\">process doppleganging<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/trojan\/\" rel=\"tag\">trojan<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/' title='Osiris dropper found using process doppelg\u00e4nging'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/08\/osiris-using-process-doppelganging\/\">Osiris dropper found using process doppelg\u00e4nging<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[19189,13840,10546,19190,19191,19192,10833],"class_list":["post-13061","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-dropper","tag-kronos","tag-malwarebytes-news","tag-osiris","tag-osiris-dropper","tag-process-doppleganging","tag-trojan"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13061","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=13061"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13061\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=13061"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=13061"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=13061"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}