Hybrid version of ‘Process Doppelgänging’ called ‘TxHollower’ spotted in the wild

• TxHollower is a type of malicious code that is designed to load a second-stage malware payload onto a victim’s system.
• It is a hybrid malware using techniques borrowed from two-loader malware-families called Process Doppelgänging and second called Process Hollowing.

A new variant of malware-loading technique that makes use of Process Doppelgänging has been spotted in the wild. Called TxHollower, it is described as a new significant threat.

What does the report say?

Discovered by Ensilo researchers, TxHollower is a type of malicious code that specializes in loading a second-stage malware payload onto a victim’s system. Unlike the dropper malware that downloads malicious files from a C2 server, TxHollower hides a malware payload inside the actual loader code.

“This loader is a significant threat, besides [distributing] GandCrab, that closed up shop earlier this year, it delivers over a dozen other payloads like FormBook, LokiBot, SmokeLoader, AZORult, NetWire, njRat and Pony stealer,” said Omri Misgave, security researcher team leader at Ensilo in a blog post.

What are its properties?

TxHollower is a hybrid malware that uses techniques borrowed from two-loader malware-families called Process Doppelgänging and Process Hollowing. Process Doppelgänging is similar to Process Hollowing where adversaries replace the memory of a legitimate process with malicious code, thereby evading detection by antivirus.

"Attackers are known to reuse resources and tools in their attack chains, most notable are droppers, packers, and loaders. It highlights that shared components and code make tracking and attributing various groups even more complicated," researchers added.

Worth noting

Researchers believe TxHollower loaders are available to cybercriminals through some offensive framework or exploit kit. “In general, most malware from the payloads are related to exploit kits. It’s possible that TxHollower is provided by another party and bundled with different kits,” noted researchers.

The earliest sample of the loader with TxHollower feature was used in March 2018 to spread Netwire RAt and later also found bundled with multiple GandCrab versions, from v5 through v5.2.