Attackers could potentially exploit a novel executable image tampering attack called "Process Ghosting" to enable protection evasion and stealthy activation of malicious code on Windows systems, The Hacker News reports.
"With this technique, an attacker can write a piece of malware to disk in such a way that it's difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, Process Hollowing, or Transactional NTFS (TxF)," said Gabriel Landau, a researcher at Elastic Security.
According to Elastic Security, Process Ghosting also enables running of already deleted executables, unlike Process Doppelgänging and Process Herpaderping.
"This means that it is possible to create a file, mark it for deletion, map it to an image section, close the file handle to complete the deletion, then create a process from the now-fileless section," Landau said.
Microsoft has been notified regarding Process Ghosting last month, but it said that the issue does not conform to their servicing standards.
Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.
The Cybersecurity and Infrastructure Security Agency has expanded access to its Malware Next-Gen malware analysis service to organizations in the private sector months after it was offered to government and military workers, reports The Record, a news site by cybersecurity firm Recorded Future.
Malware-laced GitHub repositories using popular names and topics are being advanced by threat actors through automated updates and fraudulent stars meant to manipulate the leading software developer platform's search rankings as part of a new open-source supply chain attack, The Hacker News reports.
Several organizations across Germany have been targeted by suspected initial access broker TA547, also known as Scully Spider, with attacks using a generative artificial intelligence-based PowerShell to deliver the Rhadamanthys information-stealing malware, reports BleepingComputer.