DoubleAgent Attack Technique Leads To Dangerous Intrusions

Security experts have discovered a new dangerous zero-day vulnerability attack technique known as DoubleAgent which has been rated as very dangerous.

The DoubleAgent Attack Technique Is A Dangerous Method Used By Hackers

Security specialists identified a new zero-day vulnerability dubbed the DoubleAgent technique which has been rated as an extremely dangerous method for infiltrating target systems. The observed incidents have been analyzed and according to the results the hacker operators have used the technique to take control of installed anti-virus and security solutions installed on the target machines. This fact shows something that the investigators found troublesome – the hackers have radically changed their tactics by directly attempting to hijack the security software instead of concealing themselves and attempting to hide themselves from them. Most of the well-known vendors are affected, however a part of them have already issued critical patches that fixes the discovered issues. The list includes Avast, AVG, Avira, Trend Micro, BitDefender, ESET, Kaspersky, McAfee, Panda and others.

Some of the affected products have already assigned specific security advisories that are related to the DoubleAgent technique:

  • Bitdefender (CVE-2017-6186) – Code injection vulnerability in Bitdefender Total Security 12.0 (and earlier), Internet Security 12.0 (and earlier), and Antivirus Plus 12.0 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Bitdefender process via a “DoubleAgent” attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack.
  • Avira (CVE-2017-6417) – Code injection vulnerability in Avira Total Security Suite 15.0 (and earlier), Optimization Suite 15.0 (and earlier), Internet Security Suite 15.0 (and earlier), and Free Security Suite 15.0 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Avira process via a “DoubleAgent” attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack.
  • Avast (CVE-2017-5567) – Code injection vulnerability in Avast Premier 12.3 (and earlier), Internet Security 12.3 (and earlier), Pro Antivirus 12.3 (and earlier), and Free Antivirus 12.3 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Avast process via a “DoubleAgent” attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack.
  • AVG (CVE-2017-5566) – Code injection vulnerability in AVG Ultimate 17.1 (and earlier), AVG Internet Security 17.1 (and earlier), and AVG AntiVirus FREE 17.1 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any AVG process via a “DoubleAgent” attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack.
  • Trend Micro (CVE-2017-5565) – Code injection vulnerability in Trend Micro Maximum Security 11.0 (and earlier), Internet Security 11.0 (and earlier), and Antivirus+ Security 11.0 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Trend Micro process via a “DoubleAgent” attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack.

The attack principle uses the Microsoft Application Verifier to load malicious code into the operating system’s memory. This is a runtime verification tool that acts as a debugger. The application has been introduced with Windows XP and is automatically installed and enabled on all versions of the operating system since this iteration of the operating system. An important fact is that it can be used with any project written in the popular C++ programming language which is one of the most popular ones. As such the following are the vulnerable platforms:

  • Every Windows version since Windows XP.
  • Every Windows architecture (both x86 and x64 versions).
  • Every Windows users including the SYSTEM and Administrator accounts.
  • Every target process which include those with privileged access such as the operating system main applications and those belonging to the security solutions.

The DoubleAgent attack routine follows this sequence:

  1. The victims are lured into downloading and executing infected files from various sources – email spam campaigns, malicious download sites, P2P networks and etc.
  2. Upon infection with the malware the virus code is injected into any of the running processes. The attack occurs during the initial process boot which gives the hacker operators full control over it. As this occurs in the earliest possible stages most anti-virus and anti-malware products cannot detect such attacks.
  3. Once the attack has taken place the hackers can include various modules that can inflict damage to the hosts.

Upon infection with the DoubleAgent malware code the following consequences can be initiated by the virus:

  • Persistent Environment Setup – The malicious engine can be used to create a persistent environment by continuously injecting the code even after reboot and other power events. This is usually done by modifying the Windows registry, boot configuration settings and other related means of modifying the operating systems behavior.
  • Process Hijacking – The malware can take full control of target processes which can include both ordinary applications, critical system ones and even antivirus software. The DoubleAgent attack can bypass the self-protection mechanisms built into them.
  • Persistent Malware Delivery – The attack technique can be used to introduce additional malware threats (e.g. as a payload dropper) that feature the same persistent environment using preconfigured commands.
  • Information Stealing & Spying – Such malware infections can be used by the remote attackers to harvest important information from the affected computers. This includes both sensitive system information and user data. More complex variants and evolved versions can also institute an on-demand spying module which can broadcast all user interactions with their PC.
  • Process Modification – Once a target process has been infiltrated it can be modified by changing its privileges or various changes can be introduced to the files and data it interacts with.

Possible sources of the infection can include the following:

  • Download Sites & P2P Networks – This is one of the most popular methods of distributing viruses. The hackers can use various untrusted, hacker-controlled or hacked sites and portals to distribute the binary files. Another source are the popular P2P networks where pirate content is typically spread.
  • Exploit Kit Attacks –Vulnerability testing and automated attacks are usually performed by exploit kits. Hackers can also use other direct intrusion attempts to try to gain remote access which allows them to access the target systems and execute the DoubleAgent binary file.
  • Spam Email Campaigns – Spam Email messages of different types can be a carrier for the DoubleAgent files. The hackers can employ various tactics to try to infect as many people as possible. In the most common case they send out bulk email messages that include social engineering tricks (phishing scams) that manipulate the targets into infecting themselves. The counterfeit messages pose as being sent by a legitimate and well-known company, organization or institution and include dangerous hyperlinks or attachments. Upon interaction with them the targets become victims of the DoubleAgent malware code. In recent times the use of infected macros in office documents has become the dominant email spam message type.
  • Dangerous Redirects & Browser Hijackers – All sorts of dangerous scripts, malicious ad networks and browser hijackers can lead to a successful infection. The redirection scripts found on hacked or hacker-controlled sites can download the virus to the victim computer. Ad networks can institute pop-ups that link to dangerous download sites and also generate revenue for the operators. Browser hijackers are one of the most dangerous infection sources as they are installed as extensions to the installed web browsers (Mozilla Firefox, Google Chrome, Internet Explorer and Microsoft Edge). They modify essential settings such as the default home page, search engine and new tabs page to point to a hacker-supplied site or portal. In addition the victims privacy is endangered as most of them also extract and send to the attackers sensitive information such as any stored cookies, account credentials, history and settings.
  • Infected Installers – DoubleAgent viral code can also be injected to software installers of popular applications, games, utilities and patches. In many cases the target binaries are those of freeware and trial versions of the relevant software.

Possible mitigation steps are possible by using a new concept called “Protected Processes” which has been introduced by Microsoft. The idea behind this is associated with the notion that security solutions (anti-virus applications, firewalls, IDS systems and etc.) should only allow trusted and signed code to load. Specific anti-code injection measures are introduced with this new framework. However at the moment no anti-virus vendors (except Microsoft with their Windows Defender) has implemented this design completely.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts