{"id":13094,"date":"2018-08-13T11:10:05","date_gmt":"2018-08-13T19:10:05","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2018\/08\/13\/news-6861\/"},"modified":"2018-08-13T11:10:05","modified_gmt":"2018-08-13T19:10:05","slug":"news-6861","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/08\/13\/news-6861\/","title":{"rendered":"Process Doppelg\u00e4nging meets Process Hollowing in Osiris dropper"},"content":{"rendered":"

Credit to Author: hasherezade| Date: Mon, 13 Aug 2018 18:29:57 +0000<\/strong><\/p>\n

One of the Holly Grails for malware authors is a perfect way to impersonate a legitimate process. That would allow them to run their malicious module under the cover, being unnoticed by antivirus products. Over the years, various techniques have emerged in helping them to get closer to this goal. This topic is also interesting for researchers and reverse engineers, as it shows creative ways of using Windows APIs.<\/p>\n

Process Doppelg\u00e4nging<\/a>, a new technique of impersonating a process, was published last year at the\u00a0Black Hat conference<\/a>. After some time, a ransomware named\u00a0SynAck was found adopting that technique<\/a> for malicious purposes. Even though\u00a0Process Doppelg\u00e4nging still remains rare in the wild, we recently discovered some of its traits in the dropper for the Osiris banking Trojan (a new version of the infamous Kronos<\/a>). After closer examination, we found out that the original technique was further customized.<\/p>\n

Indeed, the malware authors have merged elements from both Process Doppelg\u00e4nging and Process Hollowing, picking the best parts of both techniques to create a more powerful combo. In this post, we take a closer look at how Osiris is deployed on victim machines, thanks to this interesting loader.<\/p>\n

Overview<\/h3>\n

Osiris is loaded in three steps as pictured in the diagram below:<\/p>\n

\"\"<\/a><\/p>\n

The first stage loader is the one that was inspired by the Process Doppelg\u00e4nging technique but with an innovative twist. Finally, Osiris proper is delivered thanks to a second stage loader.<\/p>\n

Loading additional NTDLL<\/h3>\n

When ran, the initial dropper creates a new suspended process, wermgr.exe.<\/p>\n

\"\"<\/p>\n

Looking into the modules loaded within the injector’s process space, we can indeed see this additional copy of NTDLL:<\/p>\n

\"\"<\/a><\/p>\n

This is a well-known technique that some malware authors use in order to evade monitoring applications and hide the API calls that they use. When we closely examine what functions are called from that additional NTDLL, we find more interesting details. It calls several APIs related to NTFS transactions. It was easy to guess that the technique of Process Doppelg\u00e4nging, which relies on this mechanism, was applied here.<\/p>\n

NTDLL is a special, low-level DLL. Basically, it is just a wrapper around syscalls<\/a>. It does not have any dependencies from other DLLs in the system. Thanks to this, it can be loaded conveniently, without the need to fill its import table.<\/p>\n

Other system DLLs, such as Kernel32, rely heavily on functions exported from NTDLL. This is why many user-land monitoring tools hook and intercept the functions exported by NTDLL: to watch what functions are being called and check if the process does not display any suspicious activity.<\/p>\n

Of course malware authors know about this, so sometimes, in order to fool this mechanism, they load their own, fresh and unhooked copy of NTDLL from disk. There are several ways to implement this. Let’s have a look how the authors of the Osiris dropper did it.<\/p>\n

Looking at the memory mapping, we see that the additional NTDLL is loaded as an image, just like other DLLs. This type of mapping is typical for DLLs loaded by LoadLibrary<\/code> function or its low-level version from NTDLL, LdrLoadDll<\/code>. But NTDLL is loaded by default in every executable, and loading the same DLL twice is impossible by the official API.<\/p>\n

Usually, malware authors decide to map the second copy manually, but that gives a different mapping type and stands out from the normally-loaded DLLs. Here, the authors made a workaround: they loaded the file as a section, using the following functions:<\/p>\n