Home

Awesome

DoubleAgent

DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run).

DoubleAgent can exploit:

DoubleAgent exploits a 15 years old legitimate feature of Windows and therefore cannot be patched.

Code Injection

DoubleAgent gives the attacker the ability to inject any DLL into any process. The code injection occurs extremely early during the victim’s process boot, giving the attacker full control over the process and no way for the process to protect itself. The code injection technique is so unique that it’s not detected or blocked by any antivirus.

Persistency

DoubleAgent can continue injecting code even after reboot making it a perfect persistence technique to “survive” reboots/updates/reinstalls/patches/etc. Once the attacker decides to inject a DLL into a process, they are forcefully bounded forever. Even if the victim would completely uninstall and reinstall its program, the attacker’s DLL would still be injected every time the process executes.

Attack Vectors

Technical Deep Dive

For more details, checkout our technical article.

Installation

  1. Clone/Download the DoubleAgent source code.
  2. Build the main solution twice, once in x86 and once in x64. This step is crucial as it creates both x86 and x64 versions of DoubleAgentDll.dll which is required in order to perform a successful installation.
  3. Copy the entire bin folder to the target machine.
  4. Execute the installer:
    Usage:  DoubleAgent.exe install\uninstall\repair process_name
    
    e.g.    DoubleAgent.exe install cmd.exe
    
    Note that the 32bit installer (DoubleAgent_x86.exe) can be used both on Windows x86 and Windows x64. But the 64bit installer (DoubleAgent_x64.exe) can be used only on Windows x64.
  5. The next time the target process loads DoubleAgentDll.dll would be injected into it.

Authors

Cybellum Technologies LTD (http://cybellum.com/)