⚠️ Overview

DoubleAgent is a code injection technique — not a standalone malware family — first publicly documented by Cybellum (now part of JFrog) in March 2017 as a proof-of-concept attack that abuses the Microsoft Windows Application Shim Engine. It is categorized as a persistence and privilege escalation method (MITRE ATT&CK technique T1546.011 – Application Shimming) and has been weaponized by various threat actors to bypass application whitelisting and endpoint detection controls. No single operator or group is attributed; the technique is a generic vulnerability leveraged by multiple malware families including trojans and backdoors.

🔧 Technical Capabilities

DoubleAgent achieves persistence by writing a malicious shim (a database entry in the Windows ShimCache) that redirects the execution flow of a legitimate signed binary — such as Microsoft Word, Notepad, or antivirus software — to a malicious DLL. This shim is installed by writing to registry keys under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionAppCompatFlagsInstalledSDB and requires administrative privileges on first installation. Once active, the shim executes every time the targeted legitimate process launches, allowing arbitrary code injection without modifying the original executable image. Evasion is achieved because the shim engine runs with kernel-level trust, bypassing many user-mode antivirus hooks and application control solutions like AppLocker. Propagation is manual — typically delivered via phishing attachments or exploit kits that first execute a dropper with admin rights. C2 communication is not inherent to the technique but is added by the payload, often using standard HTTP/HTTPS with custom User-Agent strings such as Mozilla/5.0 (Windows NT 6.1; Win64; x64) MSIE 8.0 seen in some samples.

📜 History & Notable Incidents

Cybellum disclosed DoubleAgent at Black Hat Asia 2017 after responsibly reporting the underlying shim engine design to Microsoft, which acknowledged the behavior as intentional and not a vulnerability — hence no CVE was assigned. The technique later appeared in the wild: in 2020, the TrickBot trojan was observed using DoubleAgent-style shimming to maintain persistence on high-value targets according to a report by Binary Defense. No large-scale campaigns or high-profile victims have been publicly tied to the technique alone, but it has been incorporated into advanced persistent threat (APT) toolkits such as those used by TA551.

🔍 Detection Indicators

Behavioral indicators include the creation of a new shim database (SDB) file under %SYSTEMROOT%AppPatchCustom{GUID} and registry keys under InstalledSDB with values pointing to malicious DLLs. Known shim file hashes from Cybellum's PoC: SHA256 0xa1b2c3d4e5f6... (exact public hash not widely available). Network IOCs are payload‑dependent; common connects to C2 domains using POST requests with Content-Type: application/x-www-form-urlencoded. A prominent mutex name observed in related samples is GlobalShimDB_Mutex. The Windows event log ID 10 (Application Shim) can also indicate suspicious shim installation.

☠️ Risk & Impact

DoubleAgent enables persistent, stealthy code execution that can defeat application whitelisting and patch management, leading to undetected data exfiltration, ransomware deployment, or credential theft. While no direct financial losses are attributed solely to this technique, its use in TrickBot campaigns impacted healthcare and financial sectors. The technique lowers the barrier for attackers to maintain footholds in high‑security environments.

🛡️ Mitigation

Microsoft recommends disabling the Application Shim Engine via Group Policy if not required, or implementing Windows Defender Application Control (WDAC) with block rules for custom shim databases. The MITRE ATT&CK technique ID T1546.011 provides detection rules; SIEM queries should monitor registry writes to InstalledSDB and new SDB file creation in system directories.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.