Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New Windows Process Injection Can Be Useful for Stealthy Malware

Process injection - Credits:

Process injection - Credits:

Researchers at SafeBreach, a cybersecurity firm that specializes in breach and attack simulations, have catalogued most known Windows process injection techniques. They also discovered a new method, which they claim is stealthy and can bypass all protections implemented by Microsoft.

Malware can use process injection techniques to inject code designed for a specific operation into a legitimate process that can help it achieve its goal. Malware can leverage process injection for stealth and to bypass security mechanisms.

Itzik Kotler, co-founder and CTO of SafeBreach, and Amit Klein, the firm’s VP of security research, have summarized and tested two dozen known process injection techniques. Their research shows whether each technique is stable, what its prerequisites and limitations are, and specifies the main APIs they use. While some of the injection methods are theoretical, some have been known to be used by malware in the wild.

The experts decided to take on this task after being unable to find a resource that lists all known process injection techniques. They tested all of the techniques on a Windows 10 x64 machine against 64-bit processes.

It’s worth noting that Windows 10 includes several features designed to protect against process injection, including Control Flow Guard (CFG), Dynamic Code Security, the Binary Signature policy, and the Extension Point Disable policy.

In an interview ahead of their presentation at the Black Hat cybersecurity conference in Las Vegas, Kotler and Klein told SecurityWeek that only two of the tested techniques failed completely due to Windows 10’s protections, and four of them, including the one they have identified, have worked regardless of the level of protection. The other injection methods may or may not work depending on the level of protection.

According to the researchers, the process injections that are capable of bypassing the protection mechanisms in Windows are typically aggressive and easier to detect. However, the new injection method they have found, dubbed StackBomber, is supposedly much stealthier, which makes it more valuable to attackers, and it does not require elevated privileges to work.

StackBomber has been described as a new execution technique that works well in combination with a new memory writing technique that was also discovered by Kotler and Klein.

Microsoft does not view process injection methods as vulnerabilities and, as such, they are not covered by its bug bounty programs. The SafeBreach researchers told SecurityWeek that they reported their findings to the tech giant, but, as expected, it will not take any immediate action to address StackBomber.

SecurityWeek has reached out to Microsoft for comment and will update this article if the company responds.

SafeBreach has made available all of the proof-of-concepts (PoCs) it has used during its research, and released an open source framework named PINJECTRA that allows users to create their own process injections.

The company is aware that its findings could be abused by malicious actors, but says its goal is to help the community, particularly companies specializing in client protection, which can incorporate defenses into their products.

UPDATE. Microsoft has provided SecurityWeek the following statement: Microsoft has a strong commitment to security and will take appropriate action as needed to help keep customers protected.

Related: Hackers Can Abuse Text Editors for Privilege Escalation

Related: Online Sandbox Services Used to Exfiltrate Data

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.