"Process Ghosting: A New Executable Image Tampering Technique in the Wild"

Elastic Security uncovered a new image tampering attack called Process Ghosting. Remote hackers are using this new type of executable image-altering technique to deploy malware on a targeted Windows system stealthily. Process Ghosting escapes anti-malware defenses and detection by using veiled malicious codes. Using this technique, an attacker can write a piece of malware to disk in a way that makes it difficult to scan or delete. According to researchers, this technique does not involve code injection, Process Hollowing, or Transactional NTFS (TxF). A gap exists between when a process is created and when security products are notified of its creation, providing a window for malware authors to tamper with the executable before the products can scan it. This article continues to discuss the flow of the new image tampering attack Process Ghosting. 

CISO MAG reports "Process Ghosting: A New Executable Image Tampering Technique in the Wild"