keller - Fotolia
A new form of the Kronos banking Trojan called Osiris was recently discovered using an advanced evasion technique known as process impersonation. How does Osiris use process impersonation and what threats does it pose?
Endpoint security tools, such as antimalware and endpoint detection and response tools, have made significant progress in detecting advanced attack techniques. These tools can detect many different attacks, like malicious PowerShell scripts and other potentially malicious actions.
The newly uncovered Osiris banking Trojan, which appears to be an update to the Kronos banking Trojan, added a new functionality -- process impersonation -- and it may not be detected by all endpoint security tools.
Process impersonation occurs when malware tries to look like a legitimate executable on an endpoint by using the same name as a legitimate process when it runs or when it uses dynamic-link library injection to inject malicious code into a running process. To use process impersonation, the malware must execute its code on the endpoint.
Adding process impersonation to existing malware can make it more difficult for endpoint security tools to identify the malware and stop the attack. It also makes investigating an incident significantly more difficult if the system doesn't have sufficient logging.
If your endpoint security tools don't have the capability to log process impersonation, process hollowing or process doppelgänging, then you may want to inquire with your vendor about when the functionality is going to be added or start looking for a new endpoint security tool.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading