Search This Blog

Powered by Blogger.

Blog Archive

Labels

DoppelPaymer Searches for and Terminates Windows Processes

DoppelPaymer uses DLL search order hijacking to exploit the DLL loading behavior for Windows processes.

 

Crowdstrike Intelligence claimed in a July 2019 blog post on DoppelPaymer that ProcessHacker was being hijacked to terminate a list of targeted processes and obtain access, providing a "critical hit." DoppelPaymer is a descendant of the BitPaymer ransomware and a member of the Dridex malware family. It's presently being delivered in a variety of ways, including phishing or spam emails with attachments containing malicious code - either JavaScript or VBScript. 

DoppelPaymer places the ProcessHacker executable, the KProcessHacker driver, and the malicious stager DLL under a subdirectory of %APPDATA% to start ProcessHacker. The subdirectory name, as well as the executable and driver file names, are all a unique string of alphanumeric characters. Following the creation of those two files, one of the DLLs loaded by ProcessHacker must be hijacked using a technique known as "DLL search order hijacking."

DoppelPaymer sends the ProcessHacker process two arguments: the name of the KProcessHacker.sys driver and an integer that will be used for inter-process communication (IPC) between the DoppelPaymer and ProcessHacker processes.

DoppelPaymer, like Dridex, exploits DLL search order hijacking to exploit the DLL loading behavior of Windows programs. When the operating system PE loader loads a binary, it must also load the DLL files needed for the PE to function. When seeking for DLL files to load, MS Windows takes a certain path by default. Before checking the Windows system directories, Windows looks for Windows system DLLs in the same directory as the target program. In this situation, DoppelPaymer, a malicious process, can drop a malicious version of a DLL in that directory, which will be loaded by the target application. 

DoppelPaymer searches the module name list in the ProcessHacker binary's Import Address Table (IAT) to decide which DLL to hijack. Each name is hashed using the CRC32 algorithm and compared to a hardcoded list of hashes, if a match is found, the name is added to a list data structure. To select one of the three names from the list, a random number generator is employed. 

After selecting a DLL, the authentic Windows version of the DLL is read into a memory buffer. This DLL serves as a template for creating the malicious stager DLL. The file is saved in the same folder as the ProcessHacker executable and has the same name as the hijacked DLL.
Share it:

Cyber Security

DLL

DoppelPaymer

Malicious Codes

Ransomware

Windows