Good news ! Hackbusters community is waiting for you !  https://discuss.hackbusters.com
KnowBe4 has been running the HackBusters site for a few years now, providing you with trending IT security news. We are expanding it and have launched a new exciting online community! The forum is divided into four main topics or categories: Social Engineering, Ransomware, Phishing and Security Awareness Training. You are invited to be one of the first to join us at: https://discuss.hackbusters.com.

Osiris dropper found using process doppelgänging

Shutterstock_1929537-600x600

Process Doppelgänging, a new technique of impersonating a process, was published last year at Black Hat conference. After some time, a ransomware namedSynAck was discoveredthat adopted it for malicious purposes. However, this technique is still pretty rare in wild. So, it was an interesting surprise to notice it in a dropper of the Osiris banking Trojan (a new version of the infamous Kronos).

The authors of this dropper were skilled, and they added several other tricks to spice the whole thing up. In this post, we will have a closer look at the loader’s implementation.

Analyzed sample

Osiris is loaded in three steps:

Overview

The dropper creates a new process and injects the content inside:

Interestingly, when we look into the modules loaded in the process space of the injector, we can see an additional copy of NTDLL:

This is...(continued)

View All Trending Stories