Process hollowing is a sophisticated code injection technique used by cyber attackers to run malicious code under the guise of a legitimate process. This method involves creating a new process in a suspended state and then replacing its code with malicious content. Once the malicious code is in place, the process is resumed, making it appear as though a legitimate application is running.

This technique is particularly effective for evading detection by security software, as the malicious code operates within the context of a trusted process. By leveraging process hollowing, attackers can execute harmful actions while remaining under the radar of traditional security measures.

How does Process Hollowing Work?

Process hollowing begins with the creation of a new process in a suspended state. This is typically achieved using native Windows API calls like CreateProcess with a flag to suspend the primary thread. The suspended state allows the attacker to manipulate the process without it executing any code prematurely.

Next, the attacker unmapped the memory of the suspended process using API calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection. This step effectively clears the legitimate code from the process, making room for the malicious content. The attacker then allocates new memory within the target process using VirtualAllocEx and writes the malicious code into this allocated space with WriteProcessMemory.

Finally, the attacker sets the context of the primary thread using SetThreadContext and resumes the process with ResumeThread. At this point, the process, which appears legitimate, begins executing the malicious code. This seamless transition from legitimate to malicious code execution is what makes process hollowing particularly insidious and difficult to detect.

What are Examples of Process Hollowing?

Examples of process hollowing can be found in various malware and threat groups. For instance, Agent Tesla uses process hollowing to manipulate processes by reallocating unmapped memory with its malicious code. Similarly, Astaroth creates a new process in a suspended state, unmaps its memory, and replaces it with malicious content.

Other notable examples include Azorult, which decrypts its payload into memory and injects it into a new suspended process, and Bandook, which launches by starting iexplore.exe and replacing it with its payload. Additionally, Bazar injects into target processes like Svchost and Explorer using process hollowing techniques. These instances highlight the diverse ways in which process hollowing is employed to evade detection and execute malicious activities.

What are the Potential Risks of Process Hollowing?

The potential risks of suffering a process hollowing attack are significant and multifaceted. Here are some of the key risks:

• Unauthorized Access to Sensitive Data: Attackers can gain access to confidential information by injecting malicious code into legitimate processes, making it difficult to detect unauthorized activities.

• Increased Risk of Data Breaches: The ability to run malicious code within trusted processes can lead to data breaches, as attackers can exfiltrate sensitive information without raising alarms.

• Compromise of System Integrity: The integrity of the system is compromised when legitimate processes are altered to execute malicious code, potentially leading to further exploitation and control by attackers.

• Evasion of Security Measures: Process hollowing allows malicious code to evade detection by security software, as it operates within the context of a legitimate process, making it harder to identify and mitigate the threat.

• Persistent Threats: Advanced persistent threats (APTs) often use process hollowing to maintain long-term access to compromised systems, making it challenging to fully eradicate the threat.

How can you Protect Against Process Hollowing?

Protecting against process hollowing requires a multi-faceted approach. Here are some key strategies:

• Implement Endpoint Detection and Response (EDR) Tools: EDR solutions can monitor and analyze suspicious activities on endpoints, helping to detect and respond to process hollowing attempts.

• Regularly Update Software: Keeping your software and systems up to date with the latest security patches can mitigate vulnerabilities that attackers might exploit.

• Use Reliable Antivirus Software: Ensure you have robust antivirus software that can detect and block malicious code injections.

• Monitor Windows API Calls: Keep an eye on API calls like CreateRemoteThread, SuspendThread, and WriteProcessMemory to identify potential process hollowing activities.

• Educate Users: Conduct regular training sessions to make users aware of phishing tactics and the importance of not downloading files from unverified sources.