J0k3rj0k3r Posted March 26, 2017 Share Posted March 26, 2017 (edited) DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run). DoubleAgent can exploit: Every Windows version (Windows XP to Windows 10) Every Windows architecture (x86 and x64) Every Windows user (SYSTEM/Admin/etc.) Every target process, including privileged processes (OS/Antivirus/etc.) Code Injection DoubleAgent gives the attacker the ability to inject any DLL into any process. The code injection occurs extremely early during the victim’s process boot, giving the attacker full control over the process and no way for the process to protect itself. The code injection technique is so unique that it’s not detected or blocked by any antivirus. Persistency DoubleAgent can continue injecting code even after reboot making it a perfect persistence technique to “survive” reboots/updates/reinstalls/patches/etc. Once the attacker decides to inject a DLL into a process, they are forcefully bounded forever. Even if the victim would completely uninstall and reinstall its program, the attacker’s DLL would still be injected every time the process executes. Attack Vectors Attacking Antivirus & Next Generation Antivirus – Taking full control of any antivirus by injecting code into it while bypassing all of its self-protection mechanism. The attack has been verified and works on all the major antiviruses including but not limited to: Avast, AVG, Avira, Bitdefender, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Norton, Panda, Quick Heal and Trend Micro. For more details, checkout our This is the hidden content, please Sign In or Sign Up article. Installing Persistent Malware – Installing malware that can “survive” reboots and are automatically executed once the operating system boots. Hijacking Permissions – Hijacking the permissions of an existing trusted process to perform malicious operations in disguise of the trusted process. e.g. Exfiltrating data, C&C communication, lateral movement, stealing and encrypting sensitive data. Altering Process Behavior – Modifying the behavior of the process. e.g. Installing backdoors, weakening encryption algorithms, etc. Attacking Other Users/Sessions – Injecting code to processes of other users/sessions (SYSTEM/Admin/etc.). [video=youtube;-ZL9WSuDAqk] Download [HIDE-THANKS] This is the hidden content, please Sign In or Sign Up [/HIDE-THANKS] Edited March 26, 2017 by J0k3rj0k3r Link to comment Share on other sites More sharing options...
Recommended Posts