New ‘Waiting Thread Hijacking’ Malware Technique Evades Modern Security Measures

Security researchers have unveiled a new malware process injection technique dubbed “Waiting Thread Hijacking” (WTH), designed to execute malicious code within legitimate processes while bypassing many modern security defenses.

Developed by Check Point Research, WTH represents an evolution of classic Thread Execution Hijacking, achieving stealth by avoiding notoriously suspicious API calls.

Process injection techniques are frequently employed by malware authors for purposes such as defense evasion, interfering with running processes, or escalating privileges.

Attackers continually innovate to find methods that circumvent detection by Endpoint Detection and Response (EDR) systems and antivirus software.

WTH aims to achieve this by using common system functions in an unexpected sequence.

Bypassing Traditional Detection Triggers

Classic Thread Execution Hijacking typically involves finding a thread in a target process, suspending it using SuspendThread, modifying its execution context (specifically the instruction pointer) via SetThreadContext to point to malicious code, and then resuming the thread with ResumeThread.

These API calls, along with the required THREAD_SUSPEND_RESUME and THREAD_SET_CONTEXT access rights, are highly suspicious and heavily monitored by security products, often leading to immediate detection.

Waiting Thread Hijacking circumvents these triggers. It operates by:

1. Using standard functions like VirtualAllocEx to allocate memory and WriteProcessMemory to write the malicious payload (shellcode) into the target process12. These require PROCESS_VM_OPERATION, PROCESS_VM_READ, and PROCESS_VM_WRITE permissions.
2. Identifying a suitable waiting thread within the target process. Threads managed by the Windows Thread Pool system, particularly those in a wait state with the reason WrQueue, are ideal candidates. These threads are dormant, waiting for an event, and will resume automatically without needing ResumeThread.
3. Obtaining the thread’s context using GetThreadContext, which only requires the less suspicious THREAD_GET_CONTEXT permission.
4. Reading the thread’s stack pointer (RSP register) to locate the return address on the stack. In the identified waiting scenarios (within syscall wrappers like NtRemoveIoCompletion or NtWaitForWorkViaWorkerFactory), the return address is predictably located at the top of the stack.
5. Overwriting this return address on the stack with the address of the injected shellcode using WriteProcessMemory.
6. When the thread’s wait condition is met, it naturally wakes up and attempts to “return” to its caller. Instead, it follows the overwritten address and executes the attacker’s code.

Maintaining Stability and Enhancing Stealth

A key aspect of WTH is ensuring the target application remains stable. The injected shellcode includes a stub that saves the thread’s original state (registers and flags), executes the main malicious payload, restores the saved state, and then jumps to the original return address (which was saved by the injector before being overwritten).

This allows the hijacked thread to resume its normal operation after executing the implant, minimizing disruption.

To further evade behavioral detection systems that look for sequences of suspicious API calls from a single process, the researchers demonstrated an obfuscation method.

This involves splitting the WTH steps – memory allocation, writing the payload, changing memory permissions to executable, and overwriting the return address – across multiple, separate child processes.

While WTH avoids many common detection triggers, it is not undetectable. EDR solutions that proactively block any unauthorized attempt to write into the memory of another process can effectively prevent this technique.

Detection relies less on flagging specific high-alert APIs and more on behavioral analysis, monitoring sequences of actions (even involving common APIs), or identifying the external memory write itself.

The technique’s simplicity and use of common APIs make it difficult to detect through static analysis of the malware file alone.

Check Point Research noted that WTH proved effective against some EDRs that caught their previously disclosed “Thread Name-Calling” technique, while other EDRs blocked WTH but not the older method.

This underscores the diversity in EDR capabilities and the advantage attackers gain by having multiple injection techniques available.

Waiting Thread Hijacking adds another stealthy option to the malware arsenal in the ongoing cat-and-mouse game between attackers and defenders.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!