Rotem Kerner, a security researcher with enSilo, has discovered a new process injection technique that can be abused by malicious actors to hide malware inside Windows-based CLI applications.
The technique, named Ctrl-Inject, abuses the Windows "CtrlRoutine" function, used by command-line applications to assure keyboard-based interfacing between the user and the app.
In a technical write-up published yesterday, Kerner described a way that a malicious actor could abuse this function to spawn malicious threads inside a legitimate CLI app's process and run malicious code.
"The main advantage of this technique over classic thread injection technique is that the remote thread is created by a trusted windows process, csrss.exe, which makes it much stealthier," Kerner said.
"Essentially, in this process injection technique, we inject our code to the target process, but we never invoke it directly," the expert added. "Instead, we are making csrss.exe invoke it for us which is far less suspicious since this a normal behavior."
"The disadvantage is that [Ctrl-Inject is] limited to console applications," Kerner said.
Link to Full article
Windows CLI Apps Vulnerable to New Ctrl-Inject Process Injection Attack
Userlevel 5
+11
Be the first to reply!
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.