keller - Fotolia
What new technique does the Osiris banking Trojan use?
A new Kronos banking Trojan variant was found to use process impersonation to bypass defenses. Learn what this evasion technique is and the threat it poses with Nick Lewis.
A new form of the Kronos banking Trojan called Osiris was recently discovered using an advanced evasion technique known as process impersonation. How does Osiris use process impersonation and what threats does it pose?
Endpoint security tools, such as antimalware and endpoint detection and response tools, have made significant progress in detecting advanced attack techniques. These tools can detect many different attacks, like malicious PowerShell scripts and other potentially malicious actions.
The newly uncovered Osiris banking Trojan, which appears to be an update to the Kronos banking Trojan, added a new functionality -- process impersonation -- and it may not be detected by all endpoint security tools.
Process impersonation occurs when malware tries to look like a legitimate executable on an endpoint by using the same name as a legitimate process when it runs or when it uses dynamic-link library injection to inject malicious code into a running process. To use process impersonation, the malware must execute its code on the endpoint.
Adding process impersonation to existing malware can make it more difficult for endpoint security tools to identify the malware and stop the attack. It also makes investigating an incident significantly more difficult if the system doesn't have sufficient logging.
If your endpoint security tools don't have the capability to log process impersonation, process hollowing or process doppelgänging, then you may want to inquire with your vendor about when the functionality is going to be added or start looking for a new endpoint security tool.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)