www.darkreading.com Open in urlscan Pro
2606:4700::6810:deab  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Dark Reading is part of the Informa Tech Division of Informa PLC
Informa PLC|ABOUT US|INVESTOR RELATIONS|TALENT
This site is operated by a business or businesses owned by Informa PLC and all
copyright resides with them. Informa PLC's registered office is 5 Howick Place,
London SW1P 1WG. Registered in England and Wales and Scotlan. Number 8860726.

Black Hat NewsOmdia Cybersecurity

Newsletter Sign-Up

Newsletter Sign-Up

Cybersecurity Topics

RELATED TOPICS

 * Application Security
 * Cybersecurity Careers
 * Cloud Security
 * Cyber Risk
 * Cyberattacks & Data Breaches
 * Cybersecurity Analytics
 * Cybersecurity Operations
 * Data Privacy
 * Endpoint Security
 * ICS/OT Security

 * Identity & Access Mgmt Security
 * Insider Threats
 * IoT
 * Mobile Security
 * Perimeter
 * Physical Security
 * Remote Workforce
 * Threat Intelligence
 * Vulnerabilities & Threats


World

RELATED TOPICS

 * DR Global

 * Middle East & Africa

See All
The Edge
DR Technology
Events

RELATED TOPICS

 * Upcoming Events

 * Webinars

SEE ALL
Resources

RELATED TOPICS

 * Library
 * Newsletters
 * Reports
 * Videos
 * Webinars
 * Whitepapers

 * 
 * 
 * 
 * 
 * Partner Perspectives:
 * > Microsoft

SEE ALL


 * Application Security
 * Cyber Risk
 * Threat Intelligence
 * Vulnerabilities & Threats


SNEAKY SHELLCODE: WINDOWS FIBERS OFFER EDR-PROOF CODE EXECUTION

Two new code-execution techniques, Poison Fiber and Phantom Thread, take
advantage of a little-known Windows OS workhorse to sneak shellcode and other
malware onto victim machines.

Tara Seals, Managing Editor, News, Dark Reading

April 18, 2024

5 Min Read
Source: Robert K. Chin via Alamy Stock Photo


Windows fibers, little-known components of Windows OS, represent a largely
undocumented code-execution pathway that exists exclusively in user mode — and
is therefore largely overlooked by endpoint detection and response (EDR)
platforms. As such, it's possible for attackers to exploit them to stealthily
land on PCs and deploy malicious payloads.

That's according to Daniel Jary, an independent security researcher, who laid
out two new proof-of-concept (PoC) attacks using fibers in a session at Black
Hat Asia on Thursday.



Fibers are an alternative to the standard "threads" that Windows uses to execute
code from the OS or an application, he explains.

"Threads are like workers, essentially, within a Windows process or an
application, and traditionally, they've always been the way that you'd execute
code and get things done," he tells Dark Reading. "But there's a more niche way
of doing it, through fibers."


FIBERS: A FORGOTTEN & OVERLOOKED WINDOWS OS PATHWAY

Fibers, when used, exist within threads — they're essentially smaller, more
lightweight versions of the bigger thread concept. Fibers were initially
developed at a time when CPUs had fewer cores available to them and could
accommodate only so many threads. At a high level, the smaller were a way to
expand capacity, by allowing developers to split up workloads within a single
thread and make processes more efficient.



"But as computers became more powerful, with more memory to play with, fibers
became somewhat redundant in the vast majority of scenarios," Jary explains.
"That's why a lot of people really haven't heard about them and they're a bit
obscure, but they do serve a few purposes for some old legacy applications and a
way to port programs from other operating systems over to Windows. And some
Windows processes themselves actually still use fibers."



Thus, fibers enjoy the dubious honor of being both a core Windows function and
an overlooked one by security teams. To boot, Jary notes that traditional
detection mechanisms in EDR platforms and antivirus engines tend to ignore them
— making them a perfect stealth avenue to execute malicious code.

"Threads are heavily monitored by EDR agents, which look at syscalls and kernel
mode callbacks to capture telemetry and send it to a rules engine to generate
detection," Jary says. "But fibers exist purely in user mode and don't show up
in kernel collection, so their telemetry is not actually getting recorded by
EDRs."



Some open source techniques already exist to take advantage of fibers'
under-the-radar status. A PoC from 2022, for instance, details a method for
hiding malicious shellcode inside a fiber, thus evading the majority of AV
engines.  

Others have created methods for callstack masking, which enables attackers to
hide a malicious execution pathway within a thread — in this case, a fiber —
behind a different, dormant fiber that's benign, also evading detection. The
technique takes advantage of the fact that if fibers are in use, there's always
an active fiber, then a dormant fiber that it switches off with. This masking
capability that was added into Cobalt Strike's Artefact Kit in 2022.


NEW FRONTIERS IN MALICIOUS FIBER EXECUTION

Jary set off to explore whether it's possible to improve on existing malicious
fiber techniques, and came up with two new PoCs, dubbed Phantom Thread and
Poison Fiber.

Existing adversarial fiber methods have certain disadvantages for attackers:
Some indicators could still be used for EDR detection, and the maliciousness
isn't hidden from inline event-based callstack collection. Any collection of
dormant fibers, for which several techniques exist, would remove callstack
masking.



Phantom Thread is a next-gen callstack masking approach that removes the ability
of memory scans to target fibers by having those fibers masquerade as threads.
This involves creating a fiber, then patching it so that it self-identifies as a
thread. Then it becomes possible to remove any fiber callstack indicators and
essentially hide the fibers from any scanning altogether.

The second PoC, Poison Fiber, enumerates any running Windows processes, looking
at threads in use and then whether any of those threads are using fibers. Then
"it presents you with an opportunity to inject your payload or your shellcode
into a dormant fiber," Jary explains.

"You can only one run one fiber per thread at any one time, which means you
always have another dormant fiber parked somewhere else on the stack," he says.
"When we execute our code using Poison Fiber, this injects our code into a
dormant fiber, so we don't have to suspend the thread in order to inject the
shellcode, which is a huge indicator for malicious activity. And because we've
injected the payload into a dormant fiber, then the application triggers the
execution for us, and we don't initiate the execution ourselves." The technique
has an added benefit of allowing remote code execution (RCE) as well.


WAKE UP TO FIBER'S ADVERSARIAL POTENTIAL

While they remain somewhat obscure, fibers should be on security teams' list of
attack vectors, warns Jary, who has not yet released his evolved PoCs or
granular details on the methods publicly. He reasons that it's only a matter of
time before others find ways of overcoming drawbacks in existing open source
fiber execution methods.  

"Fiber's alternate execution method is valuable to attackers because it helps us
sidestep traditional telemetry sources that we get with threads, in particular
kernel callbacks," he says. "Fibers aren't a privilege escalation tactic, and
they aren't a user access control (UAC) bypass. But it does allow a payload
delivery that gets a lot less spotlight and attention from the security
community. Fibers are really simple to implement, but they're harder to detect.
So that makes them perfect for any script kiddie to use to attack businesses."



Jary advises implementing mature EDR products that can be continually tested
against emerging techniques like these.

"Talk to your red teamers about open source fiber methods that are being used in
the wild," he says. "Do some research to see what attackers are having joy with,
what's popular in the wild, then feed that back into your research team and your
EDR product developers. That's going to help build better defenses and probably
make your threat hunters' lives a little bit easier as well."

Read more about:

Black Hat News



ABOUT THE AUTHOR(S)

Tara Seals, Managing Editor, News, Dark Reading



Tara Seals has 20+ years of experience as a journalist, analyst and editor in
the cybersecurity, communications and technology space. Prior to Dark Reading,
Tara was Editor in Chief at Threatpost, and prior to that, the North American
news lead for Infosecurity Magazine. She also spent 13 years working for Informa
(formerly Virgo Publishing), as executive editor and editor-in-chief at
publications focused on both the service provider and the enterprise arenas. A
Texas native, she holds a B.A. from Columbia University, lives in Western
Massachusetts with her family and is on a never-ending quest for good Mexican
food in the Northeast.


See more from Tara Seals, Managing Editor, News, Dark Reading
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.

Subscribe

You May Also Like

--------------------------------------------------------------------------------

Application Security

Critical Zero-Day Bug in Atlassian Confluence Under Active Exploit
Application Security

OWASP Lead Flags Gaping Hole in Software Supply Chain Security
Application Security

Tesla Jailbreak Unlocks Theft of In-Car Paid Features
Application Security

Apple Users Open to Remote Control via Tricky macOS Malware
More Insights
Webinars

 * The fuel in the new AI race: Data
   
   April 23, 2024

 * Securing Code in the Age of AI
   
   April 24, 2024

 * Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in
   the Modern Enterprise
   
   April 30, 2024

 * Key Findings from the State of AppSec Report 2024
   
   May 7, 2024

 * Is AI Identifying Threats to Your Network?
   
   May 14, 2024

More Webinars
Events

 * Black Hat USA - August 3-8 - Learn More
   
   August 3, 2024

 * Cybersecurity's Hottest New Technologies: What You Need To Know
   
   March 21, 2024

More Events



EDITOR'S CHOICE

Mitre company logo
Cyberattacks & Data Breaches
Top MITRE ATT&CK Techniques and How to Defend Against ThemTop MITRE ATT&CK
Techniques and How to Defend Against Them
byNate Nelson, Contributing Writer
Apr 10, 2024
4 Min Read

A medical professional wearing scrub attire clicking on a screen in front of her
Cyberattacks & Data Breaches
Round 2: Change Healthcare Targeted in Second Ransomware AttackRound 2: Change
Healthcare Targeted in Second Ransomware Attack
byDark Reading Staff
Apr 8, 2024
2 Min Read
A magnifying glass being held up in front of the apple logo
Vulnerabilities & Threats
Apple Warns Users in 150 Countries of Mercenary Spyware AttacksApple Warns Users
Targeted by Mercenary Spyware
byDark Reading Staff
Apr 11, 2024
1 Min Read

Reports

 * Industrial Networks in the Age of Digitalization

 * Zero-Trust Adoption Driven by Data Protection

 * How Enterprises Assess Their Cyber-Risk

 * The 2021 Security Outcomes Study

 * The Infoblox Q1 2021 Cyberthreat Intelligence Report

More Reports
White Papers

 * Application Security's New Mandate in a DevOps World

 * Making Sense of Your Security Data: The 6 Hardest Problems

 * The State of Incident Response

 * Understanding Today's Threat Actors

 * Secure Access for Operational Technology at Scale

More Whitepapers
Events

 * Black Hat USA - August 3-8 - Learn More
   
   August 3, 2024

 * Cybersecurity's Hottest New Technologies: What You Need To Know
   
   March 21, 2024

More Events





DISCOVER MORE WITH INFORMA TECH

Black HatOmdia

WORKING WITH US

About UsAdvertiseReprints

JOIN US


Newsletter Sign-Up

FOLLOW US



Copyright © 2024 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.

Home|Cookie Policy|Privacy|Terms of Use