GandCrab Doppelgänging His Shell


GandCrab Doppelgänging His Shell (Jul 25, 2019)

EnSilo researchers have a new downloader, dubbed “TxHollower,” that uses a variation of the Process Doppelgänging technique. Process Doppelgänging “involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection,” according to MITRE. Analysis of the now defunct GandCrab ransomware led to the discovery of seven versions of TxHollower. The downloader is a shellcode that “[i]n contrast to the original technique [Process Doppelgänging], instead of using an existing executable on disk a new file [is] created inside the transaction in %TEMP% folder.” TXHollower is used by over 20 different malware families and is likely distributed in a variety of ways such as malspam and malvertising, among others

Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.