GhostTree Attack Used Windows Junctions to Stealthily Hide Malware

▼ Summary
– GhostTree employs recursive NTFS junctions to create an enormous number of legitimate Windows file paths.
– This technique can cause Microsoft Defender folder scans to run indefinitely, preventing them from completing.
– As a result of the incomplete scans, malware may remain undetected on the system.
Security researchers at Varonis have uncovered a novel malware delivery method dubbed GhostTree, which exploits recursive NTFS junctions to evade detection. By generating an overwhelming number of legitimate Windows file paths, the technique can effectively stall Microsoft Defender’s folder scans, causing them to never finish and leaving malicious payloads hidden in plain sight.
The attack hinges on a fundamental feature of the NTFS file system: junctions, which allow one directory to point to another. Attackers create a chain of junctions that loop back on themselves, forming a recursive structure. Each time Windows attempts to traverse this loop, it generates a new, valid file path. The result is an exponentially expanding number of directories that Defender must scan, consuming system resources and time until the scan times out or is abandoned.
Varonis demonstrated that this method can produce hundreds of thousands of file paths from a single recursive junction, effectively creating a denial-of-service condition for the antivirus engine. While Defender is stuck processing the endless paths, malware placed elsewhere on the system remains undetected. The technique is particularly insidious because it does not rely on traditional obfuscation or encryption; it simply overwhelms the scanner’s capacity to complete its job.
The researchers note that GhostTree attacks are not new in concept, but their practical application for stealthy malware delivery has only recently been highlighted. They advise organizations to monitor for unusual junction creation, especially in user-writable directories, and to implement file system audit policies that flag recursive or deeply nested junctions. Additionally, security teams should consider limiting junction permissions to administrative accounts and regularly scanning for anomalous file system structures.
This discovery underscores a growing trend: attackers leveraging legitimate Windows features to bypass security tools. As Microsoft and other vendors work to patch such loopholes, the onus remains on defenders to stay vigilant against file system abuse and to adopt proactive monitoring strategies.
(Source: BleepingComputer)




