Researchers Uncover 'Process Ghosting' — A New Malware Evasion Technique
Jun 17, 2021
Cybersecurity researchers have disclosed a new executable image tampering attack dubbed "Process Ghosting" that could be potentially abused by an attacker to circumvent protections and stealthily run malicious code on a Windows system. "With this technique, an attacker can write a piece of malware to disk in such a way that it's difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk," Elastic Security researcher Gabriel Landau said . "This technique does not involve code injection, Process Hollowing, or Transactional NTFS (TxF)." Process Ghosting expands on previously documented endpoint bypass methods such as Process Doppelgänging and Process Herpaderping , thereby enabling the veiled execution of malicious code that may evade anti-malware defenses and detection. Process Doppelgänging, analogous to Process Hollowing , involves injecting arbitrary code in the address space of...
