Osiris dropper found using process doppelgänging | Advanced Mobile Spy Software
Process doppelgänging, a new technique of impersonating a process, was published last year at Black Hat conference. After some time, a ransomware named SynAck was discovered that adopted this process for malicious purposes. However, this technique is still pretty rare in wild. So, it was an interesting surprise to notice it in a dropper of the Osiris banking Trojan (a new version of the infamous Kronos). The authors of this dropper were skilled, and they added several other tricks to spice the whole thing up. In this post, we will have a closer look at the loader's implementation. Analyzed sample 5e6764534b3a1e4d3abacc4810b6985d – original sample (stage 1) 8d58c731f61afe74e9f450cc1c7987be – stage 2 e8c39091cce419adee23153f30cefa5a – Osiris core bot Osiris is loaded in three steps: Overview The dropper creates a new process and injects the content inside: Interestingly, when we look into the modules loaded in the process space of the injector, we can see an additional copy of NTDLL: