keller - Fotolia
A new form of the Kronos banking Trojan called Osiris was recently discovered using an advanced evasion technique known as process impersonation. How does Osiris use process impersonation and what threats does it pose?
Endpoint security tools, such as antimalware and endpoint detection and response tools, have made significant progress in detecting advanced attack techniques. These tools can detect many different attacks, like malicious PowerShell scripts and other potentially malicious actions.
The newly uncovered Osiris banking Trojan, which appears to be an update to the Kronos banking Trojan, added a new functionality -- process impersonation -- and it may not be detected by all endpoint security tools.
Process impersonation occurs when malware tries to look like a legitimate executable on an endpoint by using the same name as a legitimate process when it runs or when it uses dynamic-link library injection to inject malicious code into a running process. To use process impersonation, the malware must execute its code on the endpoint.
Adding process impersonation to existing malware can make it more difficult for endpoint security tools to identify the malware and stop the attack. It also makes investigating an incident significantly more difficult if the system doesn't have sufficient logging.
If your endpoint security tools don't have the capability to log process impersonation, process hollowing or process doppelgänging, then you may want to inquire with your vendor about when the functionality is going to be added or start looking for a new endpoint security tool.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Enterprises have many options for email security best practices, ranging from deploying email security protocols to educating end users on the ... Continue Reading
Cyberattacks often begin with a port scan attack, which attackers use to find exploitable vulnerabilities on targeted systems. Learn how they work ... Continue Reading
Monitoring process memory is one way to combat fileless malware attacks. Here's what you can do to protect your network against these campaigns. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.